IAPP-CIPP/E-Glossaryterms-2023-Final Exam
With Complete Solution
Accountability - Correct Answer-The implementation of appropriate technical and
organisational measures to ensure and be able to demonstrate that the handling of personal
data is performed in accordance with relevant law, an idea codified in the EU General Data
Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules.
Traditionally, accountability has been a fair information practices principle, that due diligence
and reasonable steps will be undertaken to ensure that personal information will be protected
and handled consistently with relevant law and other fair use principles.
Accuracy - Correct Answer-Organizations must take every reasonable step to ensure the data
processed is accurate and, where necessary, kept up to date. Reasonable measures should
be understood as implementing processes to prevent inaccuracies during the data collection
process as well as during the ongoing data processing in relation to the specific use for which
the data is processed. The organization must consider the type of data and the specific
purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also
embodies the responsibility to respond to data subject requests to correct records that contain
incomplete information or misinformation.
Adequate Level of Protection - Correct Answer-A transfer of personal data from the European
Union to a third country or an international organisation may take place where the European
Commission has decided that the third country, a territory or one or more specified sectors
within that third country, or the international organisation in question, ensures an adequate
level of protection by taking into account the following elements: (a) the rule of law, respect for
human rights and fundamental freedoms, both general and sectoral legislation, data protection
rules, professional rules and security measures, effective and enforceable data subject rights
and effective administrative and judicial redress for the data subjects whose personal data is
being transferred; (b) the existence and effective functioning of independent supervisory
authorities with responsibility for ensuring and enforcing compliance with the data protection
rules; (c) the international commitments the third country or international organisation
concerned has entered into in relation to the protection of personal data.
Annual Reports - Correct Answer-The requirement under the General Data Protection
Regulation that the European Data Protection Board and each supervisory authority
periodically report on their activities. The supervisory authority report should include
infringements and the activities that the authority conducted under their Article 58(2) powers.
The EDPB report should include guidelines, recommendations, best practices and binding
decisions. Additionally, the report should include the protection of natural persons with regard
to processing in the EU and, where relevant, in third countries and international organisations.
The report shall be made public and be transmitted to the European Parliament, to the Council
and to the Commission.
Anonymous Information - Correct Answer-In contrast to personal data, anonymous information
or data is not related to an identified or an identifiable natural person and cannot be combined
with other information to re-identify individuals. It has been rendered unidentifiable and, as
such, is not protected by the GDPR.
,Anti-discrimination Laws - Correct Answer-Anti-discrimination laws are indications of special
classes of personal data. If there exists law protecting against discrimination based on a class
or status, it is likely personal information relating to that class or status is subject to more
stringent data protection regulation, under the GDPR or otherwise.
Appropriate Safeguards - Correct Answer-The General Data Protection Regulation refers to
appropriate safeguards in a number of contexts, including the transfer of personal data to third
countries outside the European Union, the processing of special categories of data, and the
processing of personal data in a law enforcement context. This generally refers to the
application of the general data protection principles, in particular purpose limitation, data
minimisation, limited storage periods, data quality, data protection by design and by default,
legal basis for processing, processing of special categories of personal data, measures to
ensure data security, and the requirements in respect of onward transfers to bodies not bound
by the binding corporate rules. This may also refer to the use of encryption or
pseudonymization, standard data protection clauses adopted by the Commission, contractual
clauses authorized by a supervisory authority, or certification schemes or codes of conduct
authorized by the Commission or a supervisory authority. Those safeguards should ensure
compliance with data protection requirements and the rights of the data subjects appropriate
to processing within the European Union.
Appropriate Technical and Organizational Measures - Correct Answer-The General Data
Protection Regulation requires a risk-based approach to data protection, whereby
organizations take into account the nature, scope, context and purposes of processing, as well
as the risks of varying likelihood and severity to the rights and freedoms of natural persons,
and institute policies, controls and certain technologies to mitigate those risks. These
"appropriate technical and organisational measures" might help meet the obligation to keep
personal data secure, including technical safeguards against accidents and negligence or
deliberate and malevolent actions, or involve the implementation of data protection policies.
These measures should be demonstrable on demand to data protection authorities and
reviewed regularly.
Article 29 Working Party - Correct Answer-The Article 29 Working Party (WP29) was a
European Union organization that functioned as an independent advisory body on data
protection and privacy and consisted of the collected data protection authorities of the member
states. It was replaced by the similarly constituted European Data Protection Board (EDPB) on
May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect.
Authentication - Correct Answer-The process by which an entity (such as a person or
computer system) determines whether another entity is who it claims to be.
Automated Processing - Correct Answer-A processing operation that is performed without any
human intervention. "Profiling" is defined in the General Data Protection Regulation, for
example, as the automated processing of personal data to evaluate certain personal aspects
relating to a natural person, in particular to analyse or predict aspects concerning that natural
person's performance at work, economic situation, health, personal preferences, interests,
reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to
object to such processing.
Availability - Correct Answer-Data is "available" if it is accessible when needed by the
organization or data subject. The General Data Protection Regulation requires that a business
, be able to ensure the availability of personal data and have the ability to restore the availability
and access to personal data in a timely manner in the event of a physical or technical incident.
Background Screening/Checks - Correct Answer-Organizations may want to verify an
applicant's ability to function in the working environment as well as assuring the safety and
security of existing workers. Background checks range from checking a person's educational
background to checking on past criminal activity. Employee consent requirements for such
check vary by member state and may be negotiated with local works councils.
Behavioral Advertising - Correct Answer-Advertising that is targeted at individuals based on
the observation of their behaviour over time. Most often done via automated processing of
personal data, or profiling, the General Data Protection Regulation requires that data subjects
be able to opt-out of any automated processing, to be informed of the logic involved in any
automatic personal data processing and, at least when based on profiling, be informed of the
consequences of such processing. If cookies are used to store or access information for the
purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide
consent for the placement of such cookies, after having been provided with clear and
comprehensive information.
Binding Corporate Rules - Correct Answer-Binding Corporate Rules (BCRs) are an
appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-
border transfers of personal data between the various entities of a corporate group worldwide.
They do so by ensuring that the same high level of protection of personal data is complied with
by all members of the organizational group by means of a single set of binding and
enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with
all aspects of applicable data protection legislation and are approved by a member state data
protection authority. To date, relatively few organizations have had BCRs approved.
Binding Safe Processor Rules - Correct Answer-Previously, the EU distinguished between
Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors.
With the General Data Protection Regulation, there is now no distinction made between the
two in this context and Binding Corporate Rules are appropriate for both.
Biometrics - Correct Answer-Data concerning the intrinsic physical or behavioral
characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns,
voice, face, handwriting, keystroke technique and gait. The General Data Protection
Regulation, in Article 9, lists biometric data for the purpose of uniquely identifying a natural
person as a special category of data for which processing is not allowed other than in specific
circumstances.
Bodily Privacy - Correct Answer-One of the four classes of privacy, along with information
privacy, territorial privacy and communications privacy. It focuses on a person's physical being
and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing
or body cavity searches.
Breach Disclosure (EU specific) - Correct Answer-The requirement that a data controller notify
regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the
confidentiality and security of personal data, depending on the assessed risks to the rights and
freedoms of affected data subjects (see Data Breach).
With Complete Solution
Accountability - Correct Answer-The implementation of appropriate technical and
organisational measures to ensure and be able to demonstrate that the handling of personal
data is performed in accordance with relevant law, an idea codified in the EU General Data
Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules.
Traditionally, accountability has been a fair information practices principle, that due diligence
and reasonable steps will be undertaken to ensure that personal information will be protected
and handled consistently with relevant law and other fair use principles.
Accuracy - Correct Answer-Organizations must take every reasonable step to ensure the data
processed is accurate and, where necessary, kept up to date. Reasonable measures should
be understood as implementing processes to prevent inaccuracies during the data collection
process as well as during the ongoing data processing in relation to the specific use for which
the data is processed. The organization must consider the type of data and the specific
purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also
embodies the responsibility to respond to data subject requests to correct records that contain
incomplete information or misinformation.
Adequate Level of Protection - Correct Answer-A transfer of personal data from the European
Union to a third country or an international organisation may take place where the European
Commission has decided that the third country, a territory or one or more specified sectors
within that third country, or the international organisation in question, ensures an adequate
level of protection by taking into account the following elements: (a) the rule of law, respect for
human rights and fundamental freedoms, both general and sectoral legislation, data protection
rules, professional rules and security measures, effective and enforceable data subject rights
and effective administrative and judicial redress for the data subjects whose personal data is
being transferred; (b) the existence and effective functioning of independent supervisory
authorities with responsibility for ensuring and enforcing compliance with the data protection
rules; (c) the international commitments the third country or international organisation
concerned has entered into in relation to the protection of personal data.
Annual Reports - Correct Answer-The requirement under the General Data Protection
Regulation that the European Data Protection Board and each supervisory authority
periodically report on their activities. The supervisory authority report should include
infringements and the activities that the authority conducted under their Article 58(2) powers.
The EDPB report should include guidelines, recommendations, best practices and binding
decisions. Additionally, the report should include the protection of natural persons with regard
to processing in the EU and, where relevant, in third countries and international organisations.
The report shall be made public and be transmitted to the European Parliament, to the Council
and to the Commission.
Anonymous Information - Correct Answer-In contrast to personal data, anonymous information
or data is not related to an identified or an identifiable natural person and cannot be combined
with other information to re-identify individuals. It has been rendered unidentifiable and, as
such, is not protected by the GDPR.
,Anti-discrimination Laws - Correct Answer-Anti-discrimination laws are indications of special
classes of personal data. If there exists law protecting against discrimination based on a class
or status, it is likely personal information relating to that class or status is subject to more
stringent data protection regulation, under the GDPR or otherwise.
Appropriate Safeguards - Correct Answer-The General Data Protection Regulation refers to
appropriate safeguards in a number of contexts, including the transfer of personal data to third
countries outside the European Union, the processing of special categories of data, and the
processing of personal data in a law enforcement context. This generally refers to the
application of the general data protection principles, in particular purpose limitation, data
minimisation, limited storage periods, data quality, data protection by design and by default,
legal basis for processing, processing of special categories of personal data, measures to
ensure data security, and the requirements in respect of onward transfers to bodies not bound
by the binding corporate rules. This may also refer to the use of encryption or
pseudonymization, standard data protection clauses adopted by the Commission, contractual
clauses authorized by a supervisory authority, or certification schemes or codes of conduct
authorized by the Commission or a supervisory authority. Those safeguards should ensure
compliance with data protection requirements and the rights of the data subjects appropriate
to processing within the European Union.
Appropriate Technical and Organizational Measures - Correct Answer-The General Data
Protection Regulation requires a risk-based approach to data protection, whereby
organizations take into account the nature, scope, context and purposes of processing, as well
as the risks of varying likelihood and severity to the rights and freedoms of natural persons,
and institute policies, controls and certain technologies to mitigate those risks. These
"appropriate technical and organisational measures" might help meet the obligation to keep
personal data secure, including technical safeguards against accidents and negligence or
deliberate and malevolent actions, or involve the implementation of data protection policies.
These measures should be demonstrable on demand to data protection authorities and
reviewed regularly.
Article 29 Working Party - Correct Answer-The Article 29 Working Party (WP29) was a
European Union organization that functioned as an independent advisory body on data
protection and privacy and consisted of the collected data protection authorities of the member
states. It was replaced by the similarly constituted European Data Protection Board (EDPB) on
May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect.
Authentication - Correct Answer-The process by which an entity (such as a person or
computer system) determines whether another entity is who it claims to be.
Automated Processing - Correct Answer-A processing operation that is performed without any
human intervention. "Profiling" is defined in the General Data Protection Regulation, for
example, as the automated processing of personal data to evaluate certain personal aspects
relating to a natural person, in particular to analyse or predict aspects concerning that natural
person's performance at work, economic situation, health, personal preferences, interests,
reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to
object to such processing.
Availability - Correct Answer-Data is "available" if it is accessible when needed by the
organization or data subject. The General Data Protection Regulation requires that a business
, be able to ensure the availability of personal data and have the ability to restore the availability
and access to personal data in a timely manner in the event of a physical or technical incident.
Background Screening/Checks - Correct Answer-Organizations may want to verify an
applicant's ability to function in the working environment as well as assuring the safety and
security of existing workers. Background checks range from checking a person's educational
background to checking on past criminal activity. Employee consent requirements for such
check vary by member state and may be negotiated with local works councils.
Behavioral Advertising - Correct Answer-Advertising that is targeted at individuals based on
the observation of their behaviour over time. Most often done via automated processing of
personal data, or profiling, the General Data Protection Regulation requires that data subjects
be able to opt-out of any automated processing, to be informed of the logic involved in any
automatic personal data processing and, at least when based on profiling, be informed of the
consequences of such processing. If cookies are used to store or access information for the
purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide
consent for the placement of such cookies, after having been provided with clear and
comprehensive information.
Binding Corporate Rules - Correct Answer-Binding Corporate Rules (BCRs) are an
appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-
border transfers of personal data between the various entities of a corporate group worldwide.
They do so by ensuring that the same high level of protection of personal data is complied with
by all members of the organizational group by means of a single set of binding and
enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with
all aspects of applicable data protection legislation and are approved by a member state data
protection authority. To date, relatively few organizations have had BCRs approved.
Binding Safe Processor Rules - Correct Answer-Previously, the EU distinguished between
Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors.
With the General Data Protection Regulation, there is now no distinction made between the
two in this context and Binding Corporate Rules are appropriate for both.
Biometrics - Correct Answer-Data concerning the intrinsic physical or behavioral
characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns,
voice, face, handwriting, keystroke technique and gait. The General Data Protection
Regulation, in Article 9, lists biometric data for the purpose of uniquely identifying a natural
person as a special category of data for which processing is not allowed other than in specific
circumstances.
Bodily Privacy - Correct Answer-One of the four classes of privacy, along with information
privacy, territorial privacy and communications privacy. It focuses on a person's physical being
and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing
or body cavity searches.
Breach Disclosure (EU specific) - Correct Answer-The requirement that a data controller notify
regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the
confidentiality and security of personal data, depending on the assessed risks to the rights and
freedoms of affected data subjects (see Data Breach).
