CIPP/e questions
A German data subject was the victim of an embarrassing prank 20 years ago. A
newspaper
website published an article about the prank at the time, and the article is still available
on the
newspaper's website. Unfortunately, the prank is the top search result when a user
searches on the
victim's name. The data subject requests that SearchCo delist this result. SearchCo
agrees, and
instructs its technology team to avoid scanning or indexing the article.
What else must SearchCo do?
(A). Notify the newspaper that its article it is delisting the article.
(B). Fully erase the URL to the content, as opposed to delist which is mainly based on
data subject's
name.
(C). Identify other controllers who are processing the same information and inform them
of the
delisting request.
(D). Prevent the article from being listed in search results no matter what search terms
are entered
into the search engine. - ANS-(A). Notify the newspaper that its article it is delisting the
article.
Which of the following is NOT a role of works councils?
(A). Determining the monetary fines to be levied against employers for data breach
violations of
employee data.
(B). Determining whether to approve or reject certain decisions of the employer that
affect
employees.
(C). Determining whether employees' personal data can be processed or not.
(D). Determining what changes will affect employee working conditions. - ANS-C).
Determining whether employees' personal data can be processed or not.
,Which of the following would NOT be relevant when determining if a processing activity
would
be considered profiling?
(A). If the processing is to be performed by a third-party vendor
(B). If the processing involves data that is considered personal data
(C). If the processing of the data is done through automated means
(D). If the processing is used to predict the behavior of data subjects - ANS-(D). If the
processing is used to predict the behavior of data subjects
The GDPR forbids the practice of "forum shopping", which occurs when companies do
what?
(A). Choose the data protection officer that is most sympathetic to their business
concerns.
(B). Designate their main establishment in member state with the most flexible
practices.
(C). File appeals of infringement judgments with more than one EU institution
simultaneously.
(D). Select third-party processors on the basis of cost rather than quality of privacy
protection - ANS-(B). Designate their main establishment in member state with the most
flexible practices.
Bioface is a company based in the United States. It has no servers, personnel or assets
in the
European Union. By collecting photographs from social media and other web-based
services, such as
newspapers and blogs, it uses machine learning to develop a facial recognition
algorithm. The
algorithm identifies individuals in photographs who are not in its data set based the
algorithm and its
existing dat a. The service collects photographs of data subjects in the European Union
and will
identify them if presented with their photographs. Bioface offers its service to
government agencies
and companies in the United States and Canada, but not to those in the European
Union. Bioface
does not offer the service to individuals.
Why is Bioface subject to the territorial scope of the General Data Protection
Regulation?
, (A). It collects data from European Union websites, which constitutes an establishment
in the
European Union.
( - ANS-A). It collects data from European Union websites, which constitutes an
establishment in the European Union.
Which of the following was the first legally binding international instrument in the area of
data protection?
A) Convention 108
B)GDPR
C)Universal Decl of Human Rights
D)EU Directive on Privacy - ANS-A) Convention 108
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?
(A). Data subject rights
(B). Data access disputes
(C). Cross-border processing
(D). Special categories of data - ANS-C). Cross-border processing
An employee of company ABCD has just noticed a memory stick containing records of
client
data, including their names, addresses and full contact details has disappeared. The
data on the stick
is unencrypted and in clear text. It is uncertain what has happened to the stick at this
stage, but it
likely was lost during the travel of an employee. What should the company do?
(A). Notify as soon as possible the data protection supervisory authority that a data
breach may have
taken place.
(B). Launch an investigation and if nothing is found within one month, notify the data
protection
supervisory authority.
(C). Invoke the "disproportionate effort" exception under Article 33 to postpone notifying
data
subjects until more information can be gathered.
A German data subject was the victim of an embarrassing prank 20 years ago. A
newspaper
website published an article about the prank at the time, and the article is still available
on the
newspaper's website. Unfortunately, the prank is the top search result when a user
searches on the
victim's name. The data subject requests that SearchCo delist this result. SearchCo
agrees, and
instructs its technology team to avoid scanning or indexing the article.
What else must SearchCo do?
(A). Notify the newspaper that its article it is delisting the article.
(B). Fully erase the URL to the content, as opposed to delist which is mainly based on
data subject's
name.
(C). Identify other controllers who are processing the same information and inform them
of the
delisting request.
(D). Prevent the article from being listed in search results no matter what search terms
are entered
into the search engine. - ANS-(A). Notify the newspaper that its article it is delisting the
article.
Which of the following is NOT a role of works councils?
(A). Determining the monetary fines to be levied against employers for data breach
violations of
employee data.
(B). Determining whether to approve or reject certain decisions of the employer that
affect
employees.
(C). Determining whether employees' personal data can be processed or not.
(D). Determining what changes will affect employee working conditions. - ANS-C).
Determining whether employees' personal data can be processed or not.
,Which of the following would NOT be relevant when determining if a processing activity
would
be considered profiling?
(A). If the processing is to be performed by a third-party vendor
(B). If the processing involves data that is considered personal data
(C). If the processing of the data is done through automated means
(D). If the processing is used to predict the behavior of data subjects - ANS-(D). If the
processing is used to predict the behavior of data subjects
The GDPR forbids the practice of "forum shopping", which occurs when companies do
what?
(A). Choose the data protection officer that is most sympathetic to their business
concerns.
(B). Designate their main establishment in member state with the most flexible
practices.
(C). File appeals of infringement judgments with more than one EU institution
simultaneously.
(D). Select third-party processors on the basis of cost rather than quality of privacy
protection - ANS-(B). Designate their main establishment in member state with the most
flexible practices.
Bioface is a company based in the United States. It has no servers, personnel or assets
in the
European Union. By collecting photographs from social media and other web-based
services, such as
newspapers and blogs, it uses machine learning to develop a facial recognition
algorithm. The
algorithm identifies individuals in photographs who are not in its data set based the
algorithm and its
existing dat a. The service collects photographs of data subjects in the European Union
and will
identify them if presented with their photographs. Bioface offers its service to
government agencies
and companies in the United States and Canada, but not to those in the European
Union. Bioface
does not offer the service to individuals.
Why is Bioface subject to the territorial scope of the General Data Protection
Regulation?
, (A). It collects data from European Union websites, which constitutes an establishment
in the
European Union.
( - ANS-A). It collects data from European Union websites, which constitutes an
establishment in the European Union.
Which of the following was the first legally binding international instrument in the area of
data protection?
A) Convention 108
B)GDPR
C)Universal Decl of Human Rights
D)EU Directive on Privacy - ANS-A) Convention 108
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?
(A). Data subject rights
(B). Data access disputes
(C). Cross-border processing
(D). Special categories of data - ANS-C). Cross-border processing
An employee of company ABCD has just noticed a memory stick containing records of
client
data, including their names, addresses and full contact details has disappeared. The
data on the stick
is unencrypted and in clear text. It is uncertain what has happened to the stick at this
stage, but it
likely was lost during the travel of an employee. What should the company do?
(A). Notify as soon as possible the data protection supervisory authority that a data
breach may have
taken place.
(B). Launch an investigation and if nothing is found within one month, notify the data
protection
supervisory authority.
(C). Invoke the "disproportionate effort" exception under Article 33 to postpone notifying
data
subjects until more information can be gathered.
