CIPPE Test Questions
Timeline for responding to data subject access rights - ANS-1 mo with possible 2 mo
extension
What is out of scope in terms of cross border data transfers under gdpr - ANS-American
company transacting with South African company using software built in EU
When is a DPIA needed? - ANS-When type of processing is likely to result in a high risk
to rights and freedoms of natural persons
What is the main purpose of DPO - ANS-To ensure compliance with local and Eu data
protection law
What is not listed under gdpr as method for restricting processing of personal data -
ANS-Disabling the data management system
When is DPO required - ANS-When core activities include regular and systematic
monitoring on a large scale
What is out of scope/not covered by GDPR - ANS-Anonymous
What is true about psuedonymisation - ANS-Gives controllers a bit more leeway on if or
how they can process data besides purpose of initial collection and processing
The processor has now made a decision on the purpose of processing - ANS-The
processor is now deemed a controller
What is required for a company to market to EU consumer via email - ANS-Prior opt in
consent or previous customer purchase
Special category - ANS-Trade union
Member states have ability to enact local laws for what? - ANS-Age of child consent
When would consent not be needed from a child - ANS-Counseling services
, What information does not need to be provided when processor has a breach (what
doesn't need to be included in their breach report)? - ANS-Link to DPIA
The processor has no responsibility to report to data subject or supervisory authority
When must a processor notify a controller for a breach? - ANS-Without undue delay
When must a controller report a breach to supervisory authority - ANS-72 hours
Is data subject notice required? - ANS-YES Without undue delay IF results in a high risk
to rights and subjects of natural person
How long does DPA have to reply to another DPA on cooperation request? - ANS-1
month
What information must be provided to a data subject if their data is collected indirectly? -
ANS-Source of the data
If the data for Data Subject is collected via indirect means what is the controllers
primary obligation? - ANS-To inform the data subject about it
What infraction can lead to the 2 tier fine of 2% or 10M? - ANS-Not implementing the
technical organizational measures
What is forum shopping? - ANS-Choosing to place your headquarters or main
establishment in a state with more relaxed privacy laws
Investigative powers of SA? - ANS-
Company x contracts company y to process. Company y has a breach. What is
company y's first priority? - ANS-Inform company x immediately
What will an employer do with employee data once they are terminated? - ANS-They
will keep data they are legally required to keep
CCTV - what would you NOT need to do first? - ANS-Create a retention policy
Processor has data on USB drive that is breached, but then deleted - Why is it not
required to notify the data subject? - ANS-Because the data was deleted and is of low
risk of harm to individuals
Timeline for responding to data subject access rights - ANS-1 mo with possible 2 mo
extension
What is out of scope in terms of cross border data transfers under gdpr - ANS-American
company transacting with South African company using software built in EU
When is a DPIA needed? - ANS-When type of processing is likely to result in a high risk
to rights and freedoms of natural persons
What is the main purpose of DPO - ANS-To ensure compliance with local and Eu data
protection law
What is not listed under gdpr as method for restricting processing of personal data -
ANS-Disabling the data management system
When is DPO required - ANS-When core activities include regular and systematic
monitoring on a large scale
What is out of scope/not covered by GDPR - ANS-Anonymous
What is true about psuedonymisation - ANS-Gives controllers a bit more leeway on if or
how they can process data besides purpose of initial collection and processing
The processor has now made a decision on the purpose of processing - ANS-The
processor is now deemed a controller
What is required for a company to market to EU consumer via email - ANS-Prior opt in
consent or previous customer purchase
Special category - ANS-Trade union
Member states have ability to enact local laws for what? - ANS-Age of child consent
When would consent not be needed from a child - ANS-Counseling services
, What information does not need to be provided when processor has a breach (what
doesn't need to be included in their breach report)? - ANS-Link to DPIA
The processor has no responsibility to report to data subject or supervisory authority
When must a processor notify a controller for a breach? - ANS-Without undue delay
When must a controller report a breach to supervisory authority - ANS-72 hours
Is data subject notice required? - ANS-YES Without undue delay IF results in a high risk
to rights and subjects of natural person
How long does DPA have to reply to another DPA on cooperation request? - ANS-1
month
What information must be provided to a data subject if their data is collected indirectly? -
ANS-Source of the data
If the data for Data Subject is collected via indirect means what is the controllers
primary obligation? - ANS-To inform the data subject about it
What infraction can lead to the 2 tier fine of 2% or 10M? - ANS-Not implementing the
technical organizational measures
What is forum shopping? - ANS-Choosing to place your headquarters or main
establishment in a state with more relaxed privacy laws
Investigative powers of SA? - ANS-
Company x contracts company y to process. Company y has a breach. What is
company y's first priority? - ANS-Inform company x immediately
What will an employer do with employee data once they are terminated? - ANS-They
will keep data they are legally required to keep
CCTV - what would you NOT need to do first? - ANS-Create a retention policy
Processor has data on USB drive that is breached, but then deleted - Why is it not
required to notify the data subject? - ANS-Because the data was deleted and is of low
risk of harm to individuals
