CIPP,E IAPP Practice Questions and Answers 2023

CIPP-E IAPP Practice Questions and Answers 1. Which of the following data protection milestones is a treaty among mem- ber states of the Council of Europe: -Data Retention Directive -Charter of Fundamental Rights -Convention 108 -e-Privacy Directive -GDPR: Convention 108 2. Which of the following data protection milestones applies to public elec- tronics communications services and networks? -Data Retention Directive -Charter of Fundamental Rights -Convention 108 -e-Privacy Directive -GDPR: e-Privacy Directive 3. The Universal Declaration of Human Rights is a product of which institu- tion? -The United Nations -The Council of Europe -The European Union: The United Nations 4. Which European institutions is composed of 47 member states? -The Council of Europe -The European Union -The European Economic Area: The Council of Europe 5. Chose the characteristic that describes the European Parliament. -Is responsible for legislative development, supervisory oversight of other institutions, and development of the budget -Defines the EU priorities and sets the political direction for the EU.: Defines the EU priorities and sets the political direction for the EU 6. Choose the characteristic that describes the European Council. -Sets the overall political agenda of the EU -Negotiates and adopts laws: Sets the overall political agenda of the EU. 7. Choose the characteristic that describes the Council of the EU -Is sometimes described as the executive body of the EU -Is one of the main decision-making bodies of the EU: Is one of the main decision making bodies of the EU. 8. Choose the characteristic that describes the European Commission. -Has the power to propose legislation -Is composed of a directly elected body: Has the power to propose legislation 9. Choose the characteristic that describes the Court of Justice of the EU -Makes decisions on issues of EU law -Is based in Strasbourg: Makes decisions on issues of EU law. 10. What is the function of the 4 step test? -Determine if data qualifies as personal data -Determine i personal data is anonymous -Determine if personal date belongs to special categories -Determine if personal data is pseudonymous.: Determine if data qualifies as personal data 11. Which criteria are used to identify personal data? Select all that apply -natural person -an identified or identifiable -any information -relating to - or anonymous: All EXCEPT "or anonymous 12. Select the types of personal data elements that belong to special cate- gories under the GDPR. -Personal data revealing religious or philosophical beliefs -Data relating to personal interests and hobbies -Data concerning health -Personal data revealing political opinions -Personal data revealing financial information -Genetic data used to uniquely identify a natural person: All EXCEPT -personal interests and hobbies -financial information 13. True or False: Personal data either belongs to special categories or does not. There is no grey area.: False 14. True or False: Anonymising personal data is always possible.: False 15. True or false: Pseudonymous data is protected by the GDPR.: True 16. True or false: A data controller may be a natural person or a legal entity, while a data processor must be a legal entity.: False 17. True or false: a contract protects a processor from being held to the same legal obligations as the controller.: False 18. True or False: A processor may decide wehre and how to process person- al data.: False 19. True or false: When personal data is being processed, there is always a controller.: True 20. What is data processing: -Any action involved in securing and protecting data -Any action performed upon data -Any action involved in collecting personal data -Any action that adapts or alters data.: Any action performed upon data. 21. What are the criteria used to determine the territorial scope of the GDPR: Select all that apply. -Processing of personal data of EU subjects relating to offering goods or services or monitoring behaviour -Processing of personal data by a controller not established in the EU but in a place where member state law applies -Processing of personal data when a controller or processor is established in the EU: All. 22. Which of the following fall under the material scope of the GDPR? Select all that apply. -processing personal data without human intervention -processing anonymous data -Processing personal data that forms part of a filing system.: All EXCEPT anonymous data 23. Exclusions to the material scope of GDPR should be interpreted broadly. True or false?: False 24. True or false: At least three of the legitimate processing criteria within the GDPR must ve met for personal data to be processed legally.: False 25. Read the following and select all the GDPR principles that have been violated: An access control system used by an organization's maintenance team for building security is later used by a manager in a different depart- ment to determine if employees are arriving late for work. The employees are not informed of this new processing action, and the manager does not create consistent records of the processing activities. -Integrity and confidentiality -Accountability -Data quality and accuracy: This violates -Integrity and confidentiality Accountability 26. Which legitimate processing criteria is commonly used when a customer purchases a good or service? -Consent -Vital interests -Contract: Contract 27. Which exception to the prohibition on processing special categories of data must be explicit? -Vital interests -Publicly available data -Consent: Consent 28. Select all that are potential solutions to lengthy privacy notices. -Key notices -Standardized Icons -Terms of Agreement -Just in time notices -Layered privacy notices: All EXCEPT -Key notices -Terms of Agreement 29. True of False: A controller may charge an administrative fee to data sub- jects if they request that the information provision be in oral format.: False 30. Privacy notices should use visualisation where appropriate. True or false?: True 31. True or false: Information provided to data subjects about the processing of their personal data should be written in clear and plain language that is understandable.: True 32. True or false: The transparency principle states that detail is more impor- tant that conciseness in a privacy notice.: False 33. The information that must be provided to data subjects will depend on the situation. What information must be provided to data subjects when their personal data will be stored on a database hosted in the United States? -Use of automated decision making -Source of the date -Intention to transfer data internationally -Controller's legitimate interest: Intention to transfer data internationally 34. What information must be provided to data subjects when the controller's necessity is being used as the legal basis for processing? -Source of the data -Controller's legitimate interest -Recipients of the data -Legal basis for transferring data internationally: Controller's legitimate interest 35. What information must be provided to data subjects when the personal data that will be processed was collected indirectly? -Source of the data -Storage period -Statutory or contractual requirement -Controller's legitimate interest: Source of the data 36. What information must be provided to data subjects when their personal data will be shared with an outside organisation to provide them with a promised service? -Use of automated decision making -Recipients of the data -Intention to transfer data internationally -Source of the data: Recipients of the data 37. What information must be provided to the data subjects in all circum- stances? Select all that apply. - Identity of the controller -Controller's legitimate interest -Purpose of processing -Data subjects' rights: All EXCEPT legitimate interest 38. Where would a full version of the privacy notice be located in a layered notice? -the top layer -the second layer -the third layer: the third layer 39. True or false: upon indirect collection, information provision should hap- pen within a reasonable period of time.: True 40. True or false: Information provision is required, even if it necessitates disproportionate effort.: False 41. CIAR stands for..... -Confidentiality, information, availability and risk assessment -Continuity, integrity, access, and resilience -Confidentiality, integrity, availability and resilience -Continuity, information, access and risk assessment: Confidentiality, integrity, availability and resilience 42. Pick the correct phrase: "Taking into account the , the cost of implementation ad the nature, scope, context and purposes of processing ...(Article 32). -state of the art -risk of varying likelihood -a level of security appropriate to the risk -appropriate technical and organisational measures: state of the art 43. Pick the correct phrase: "the Controller and the processor shall imple- ment "(Article 32). -appropriate technical and organisational measures -state of the art security -risks of varying likelihood -encryption appropriate to the risk: appropriate technical and organisational measures 44. True or false: the most cutting -edge security is always the best choice for security: False 45. is/are a key part of the equation when assessing risk. -Controller obligatins -Expected loss -Purpose of processing -Data subject rights: Expected loss 46. Which of the following should be considered for a holistic approach to data security? -A policy framework -Information technology -Incident detectoin and response -All of the above: All of the above Additional considerations may include management, and worker buy-in, and the physical environment. 47. must be included in a processor contract. Check all that apply: -the categories of data subjects - the nature and purpose of the processing -the subject matter and duration of the processing -the type of personal data -The method for destroying personal information following processing activ- ities: All EXCEPT The method for destroying personal data. Contract should also contain the obligations and rights of the controller 48. A processor is responsible for implementing appropriate technical and organisational measures to keep personal data secure. True or false?: True 49. A processor may process personal data only on documented instructions from the controller. True or false?: True 50. A controller must notify the supervisory authority of a personal data breach if . -A breach is likely to result in a risk to the rights and freedoms of natural persons -A breach is likely to result in a high risk for the rights and freedoms of natural persons: A breach likely to result in risk to the rights and freedoms of natural persons. 51. A controller must notify the data subjects of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of those individuals unless . Pick all that apply: -Individual notice require disproportionate effort -Prior implementation of appropriate technical and organisational measures rendered the personal data unintelligible or encrypted -Post-breach actions greatly reduce the risk to the rights and freedoms of the data subjects.: All 52. Which of the following data subject rights provides data subjects with entitlements to certain information, obtainable from the controller upon request? Pick all that apply. -right of access -right of erasure -right to object -right to restriction of processing: right of access 53. Right of access grants data subjects access to which of the following types of information? Select all that apply. -The means of data storage -Retention periods _The purpose of processing -Locations where the date is being processed: -The purpose of processing -Retention periods -Locations where the data is being processed 54. The right to be forgotten is part of what data subjectc right? -Right to data portability -Right to erasure -Right to restriction of processing -Right to rectification: Right to erasure 55. Which of the following is not a method listed by the GDPR as a method for restricting processing of personal data. Select all that apply. -Noting the restriction in the system -Moving the data to a separate system -Temporarily blocking a website -Disabling the data management system: Disabling the data management sys- tem 56. Which of the following are categories under which a data subject may object to processing his or her personal data? Select all that apply. -Establishment, exercise or defense of legal claims -Direct marketing -Public interest or legitimate interest -Research or statistical purposes: All EXCEPT Establishment, exercise or de- fense of legal claims. 57. What is profiling? -the processing of personal data gathered from social media sites -a form of automated decision making -The act of enabling cookies -All of the above: A form of automated decision making 58. True or false. Both controllers and processors have accountability oblig- ations under GDPR.: True 59. True or false: Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase.: True 60. What are the main values of data protection impact assessment (DPIA)? Select all that apply. -Demonstrating compliance to supervisory authorities -Incorporating data protection consideration into organisational planning -Determining the purpose of processing personal data: Demonstrating com- pliance to supervisory authorities -Incorporating data protection considerations into organisational planning 61. True or false: The GDPR requires controllers to always contact the super- visory authority following a DPIA and