CIPP/E Exam Questions with complete solutions.

Outliers work on their website to company x, employee of Company X steals the data -delete it - tells boss. Q: What is company x legally obliged to do? A: NotifyOutliers Outliers work on their website to company x, employee of Company X steals the data -delete it - tells boss. Q: What does Outliers then need to do? A: Nothingas data was deleted 00:19 01:10 Outliers work on their website to company x, employee of Company X steals the data -delete it - tells boss. Q: Follows on with Cookies question? A: Consentto opt-in to cookies Privacy notice for new Health App collecting sensitive data. Q: What is the problem with the draft? A: Them form is asking for health information from the outset, which is not legal Privacy notice for new Health App collecting sensitive data Q: Potential problem with collecting children data? A: Need to demonstrate steps to gain parental consent Anna is lawyer foruniversity tasked with Student Records. Frank is a professor. Four types of data:Student Data - personal infoEmployee Data - personal infoAlumni Data - personal infoDepartment of Education Data:demographic data - no personal identifiers (used to see how first year students progress, etc.)Frank wants to build a database to process data and see how first year students in his class progressed. Frank builds algorithm to process data without identifiers. All university systems are encrypted. Takes data to his home laptop which is not encrypted. Loses laptop Q: Which types of data does Anna NOT have to include in her record of processing activities? Department of Education Records Q: What should the Anna/DPO checkto confirm he can process those data? More information about the algorithm he has developed Q: He losses the data, what should happen next? Should they inform the students? Yes because potential high risk since data was not encrypted Case study on guy gets photo taken at a gym in Germany -consents to them using it for marketing -Gym HQ in France -Gyms all over EU -He lives in UK -Submits request to ICO in UK -ICO refers to CNIL (this is the SA in France) Q: In effort of Cooperation (the lead SA, CNIL, gets their judgement) what should the they do now? Draft a draft decision and submit to supporting SAs for their opinion. What does he have to do for lawsuit? (each location is a controller!) Answer: Go to each gym branch... Question on what he should do if he wants tosue Sue ANY relevant branch as each can be liable for entire damage ABC Insurance gives data to subsidiary which begins direct marketing to Jason. Jason decides to switch insurance companies. ABC Insurance is direct marketing to Jason. Jason asks them to stop but they say that there is a line in the contract he signed saying he consents to direct marketing and he doesn't stop. Wants to transfer data - they give it to him in PDF format. He asks for them to transfer and they can't because it's too time-consuming and not feasible. Q: According to GDPR regulations on direct marketing(note:I think the wording here is key), can Jason stop ABC from direct marketing? Jason has right to object and ABC must immediately stop using his data. Q: If Jason asks to stop use of his data, what must the ABC insurance subsidiary do? A: Stop using the data unless for legal matters in which subsidiary is involved. Q: Did ABC violate GDPR by not sending the data to the new insurance company? A: No, because sending it is not possible. Undue strain on the company to send it which infringes on their rights. PDF format is enough. Guy runs a social media company for small businesses along with a few other things. Sends data to Hermes for Sub Processing - they then use the data to create ads on their personal website. Girl accidentally posts her business plan in the chat function of the website and leaves it for 2 weeks.Goes to SA about data breach. Serge posts a quote on his Social Media page and this ends up as a quotation on the main site attributed to Serge Q: Why would the girl who leaked her business plan likely not have a case with GDPR: A:Because of the nature of the data (I chose this one because it was a business plan and likely did not contain personal data) Q: Whats concerning about Hermes? A: They are processing for anew purpose Q: What did he likely miss? A: Providing an opt out fortransfer Q: What's concerning about Serge's misuse of data? A: The data was used out of the context of the Social Media Service and outside of service. Based in France but hosts website and data on US hosting company. Q: What should Wondermind include in the contract with hosting company: A: Ensure that they have appropriate technical and organizational measures Q: What should Wondermind include in the contract to data subjects A: Categories of Processing Recipients (no need to provide processor contact information). Processing data to gather advert behaviors (irish clothing company)Markets to men, women, and children. Wants to do some big time profiling. Q: What would be the biggest thing to require a DPIA A: Doing Profiling to gather purchasing and other behaviour on customers. Q: When does a company not have to comply with right to portability? Processed on basis of consent and/or contract Q: What did the convention and the directive have in common but unable to accomplish Enforcement Q: Who can propose new laws in EU? / Who can propose legislation in EU? EU commission Q: Who approves adequate countries? EU Commission -has the ability to update, grant and remove the adequacy status of a country. Q: Why was data retention directive invalidated in 2014? It impacts everyone without exception (their privacy rights) Q: What wasthe goal of the original EU DP Directive 95/46? - To further reconcile the protection of fundamental rights with free flow of data from one-member state to another Q: What best defines GDPR ? - Comprehensive Q: What do GDPR and Convention108 have in common? - International Data Transfers Q: Question regarding right to privacy: - Must be balanced with other rights and freedoms Q: What is out of scope / not covered in the GDPR? - Anonymous Pseudonymisation- which is NOT true? - Is a procedure by which ALL identifying fields are removed Q: What is true about Pseudonymisation? - Gives controllers a bit more leeway on if/how they can process data besides purpose of initial collection and processing. Q: Employee requesting information from employer? - They have to comply unless there's an exemption Q: Why consent is not the best legal basis for employees? - imbalance of power - employee will feel pressured to give consent. Q: The processor has now made a decision on purpose of processing? - The processor is now deemed as the controller Q: What is REQUIRED for a company to market to EU consumer via email? (bit of a trick question)? - Prior opt-in Consent or previous customer purchase Q: Special category? - Trade Union Q: Member states have ability to enact local laws for what? - Age of child consent Q: When would consent NOT be needed from a child? - Providing counseling services Q: When does data subject have right to object? - Direct Marketing Q: Responding to SARs? - 1 month torespond to a SAR with a potential extension of 2 months. Q: What is out of scope in terms of cross-border data transfers under GDPR? - American company, transacting with South African company using software built in the EU - Slightly different wording, but should be easy to spot Q: When is DPIA needed? - Type of processing is "likely to result in a high risk to the rights and freedoms of natural persons" Q: What is NOT needed in article of processing records? - Results from a DPIA Q: What is the main purpose of the DPO - Ensure compliance with local and EU Data Protection Law Q: When is DPO required? o PublicAuthority/ no Regular and System Monitoring on Large Scale o LargeScale processing of special categories of data Q: What information DOES NOT need to be provided (gives you a list)? Processor has a breach - what don't they need to include in their breach report. - Link to DPIA Q: Processor notifies controller for a breach? - Without undue delay after becoming aware of it Q: Which of the following is NOT included in processor contract? Purpose of processing Q: Data subject notice required? - With out undue delay Only if this results in a HIGH risk to the rights and subjects of natural persons 4% or 20M Euros Tier 1 o violation ofConsent, Access, Purposes of Processing are the MOST SEVERE o keeping data subject from exercising his/her rights o international data transfer protocol violation 2% or 10M Euros Tier 2 o Violation of technical organization measures(think smaller, day-to-day tasks that might be violated) Q: How long does one DPA have to reply to another DPA on a cooperation request? - 1 month What info needs to be provided to a Data Subject if their data collected indirectly? - Source of the data *If the data for DS is collected via indirect means what is the controller's primary obligation? Inform the Data Subject about it. ****Safeguard under 'Article 42'? - keyword is "NEW" to GDPR - Certifications What is Forum Shopping? - Choosing to place your Headquarters or Main Establishment in a State with more relaxed Privacy laws Lead SA questions? Investigative powers. They have the right to access data for investigational purposes. INVESTIGATE POWERS they can collect and if they can leverage penalties after controller has been convicted in court of law Company X contracts company Y to process. Company Y has a breach, what is its first priority? - Inform company X immediately What will an employer do with employee data once they are terminated? - They will keep data legally required to keep ****CCTV - what would you NOT need to do first? - Create a retention policy Question regarding in which scenario would GDPR apply - US citizen residing in EU purchases off of US website. Would apply because EU resident. ***Processor has data on USBdrive that is breached, but then deleted - why no notification needed to data subject? · Because it was deleted and low risk of harm toindividuals ****What's needed for processor to engage sub processor - Written confirmation from controller and assurance that processor is up to technical and organization measures ****BCR rules required byemployees employees must follow all rules of the BCR nomatter where they work What did ePrivacy make happen in 2009? - Mandatory Data Breach notification from Electronic Comms Providers What would concern e-Privacy? - Calling Prospective Customers to tell them about a new product What can an org do to make data Pseudonymous? Hold info with a direct link to personal data separately what pseudonymization is useful for Gives controllers more leeway on if/how they can process data besides purpose of initial collection and processing "main tasks or purpose ofthe DPO". Ensure compliance with local and EUData Protection Law What is NOT an effective way of communicating a breach to data subjects according to WP29's "Guidelines on Personal Data Breach Notification Prominent Notice on company's"Blog/Newsletter"- NOT APPROVED Multiple companies want to use a single DPO... what needs to happen? DPO needs to be easily accessible by all companies What could they use to MOST EFFECTIVELY assist them in conducting a DPIA? Existing DPIA guides published by SAs Who can adopt standard contract clauses other than the EU Commission? National Data Protection Authorities Whatis a power of the SA Right to access data for investigative purposes choose the example of an investigative action from a list of 4 Authority to select penalties when controllers are found guilty in court of law Pictures are considered biometric data, but what is the most likely reason these are permitted in this situation? A: Photos qualify as biometric only when undergoing "specific technical processing" Which of these poses the biggest challenge in regards to BYOD? Controllers must control data they hold at all times Multiple DPIA question working party ruling and guidelines when a single DPIA would apply across multiple scenarios o A Railway Operator gathering and reviewing video surveillance from all train stations Which is an adequacy mechanism? Standard contract clause Ad