CIPP/E Practice Questions
Which statement is correct when considering the right to privacy under article 8 of the
European Convention on Human Rights? - ANS-The right to privacy has to be balanced
against other rights under the ECHR
What is the one major goal that the OECD Guidelinges, Convention 108, and the
Directive all had in common but largely failed to achieve in Europe? - ANS-The
restriction of cross-border data flow
Which EU institution is vested with the competence to propose new data protection
legislation on its own initiative? - ANS-Commission
Which institution has the power to adopt findings that confirm the adequacy of the data
protection level in a non-EU country? - ANS-European Commission
What type of data lies beyond the scope of the GDPR? - ANS-Anonymised
What is the consequence if a processor makes an independent decision regarding the
purposes and means of processing it carries out on behalf of a controller? - ANS-The
processor will be considered to be a controller
With the issue of consent, the GDPR allows member states some choice regarding
what? - ANS-The age which children must be required to obtain parental consent
Which sentence BEST summarizes the concepts of Fairness, lawfullness, and
transparency, as expressly required by Article 5 of the GDPR? - ANS-Fairness and
transparency refer to the communication of key information before collecting data;
lawfulness refers to compliance with government regulations
Assuming that the "without undue delay" provison is followed, what is the time limit for
complying with a data access request? - ANS-1 month + additional 2 months
Company X has entrusted the processing of their payroll data provider to Y. Provider Y
stores this encrypted data on its server. The IT department of Provider Y finds out that
someone managed to hack into the system and take a copy of the data from its server.
In this scenario, whom does Provider Y have the obligation to notify? - ANS-Company X
, Which of the following would require designationg a data protection officer? - ANS-The
core activites of the controller or processor consist of processing operations that require
systematic monitoring of data subjects on a large scale. (public authority or large scal
sensitive data would apply as well)
When is a data sharing agreement MOST likely to be needed? - ANS-When personal
data is being shared between commercial orgs acting as joint data controllers
An employee of company X has just noticed a memory stick containing records of client
data, including their names, addresses and full contact details has disappeared. The
data on the stick is unencrypted and in clear text. It is uncertain what has happened to
the stick as this stage, but it likely was lost during the travel of an employee. What
should the company do? - ANS-Notify as soon as possible the data protection
supervisory authority that a data breach may have taken place
The GDPR specifies fines that may be levied against data controllers for certain
infringements. Which of the following infringements would be subject to the less severe
administrative fine of up to 10 million Euros? - ANS-Failure to implement technical and
organisational measures to ensure data protection is enshrined by design and default
Why is it advisable to avoid consent as a legal basis for an employer to process
employee data? - ANS-Consent may not be valid if the employee feels compelled to
provide it
What is true about an employee who makes an access request to his employer for any
personal data held about him? - ANS-The employer must supply all the information held
about the employee unless there is an exemption
Discover which employees are accessing cloud services and from which devices and
apps
Lock down the data in those apps and devices
Monitor and analyse the apps and devices for compliance
Manage application life cycles
Monitor data sharing
An organisation should perform these steps to do which of the following? -
ANS-Maintain a secure BYOD program
Which statement is correct when considering the right to privacy under article 8 of the
European Convention on Human Rights? - ANS-The right to privacy has to be balanced
against other rights under the ECHR
What is the one major goal that the OECD Guidelinges, Convention 108, and the
Directive all had in common but largely failed to achieve in Europe? - ANS-The
restriction of cross-border data flow
Which EU institution is vested with the competence to propose new data protection
legislation on its own initiative? - ANS-Commission
Which institution has the power to adopt findings that confirm the adequacy of the data
protection level in a non-EU country? - ANS-European Commission
What type of data lies beyond the scope of the GDPR? - ANS-Anonymised
What is the consequence if a processor makes an independent decision regarding the
purposes and means of processing it carries out on behalf of a controller? - ANS-The
processor will be considered to be a controller
With the issue of consent, the GDPR allows member states some choice regarding
what? - ANS-The age which children must be required to obtain parental consent
Which sentence BEST summarizes the concepts of Fairness, lawfullness, and
transparency, as expressly required by Article 5 of the GDPR? - ANS-Fairness and
transparency refer to the communication of key information before collecting data;
lawfulness refers to compliance with government regulations
Assuming that the "without undue delay" provison is followed, what is the time limit for
complying with a data access request? - ANS-1 month + additional 2 months
Company X has entrusted the processing of their payroll data provider to Y. Provider Y
stores this encrypted data on its server. The IT department of Provider Y finds out that
someone managed to hack into the system and take a copy of the data from its server.
In this scenario, whom does Provider Y have the obligation to notify? - ANS-Company X
, Which of the following would require designationg a data protection officer? - ANS-The
core activites of the controller or processor consist of processing operations that require
systematic monitoring of data subjects on a large scale. (public authority or large scal
sensitive data would apply as well)
When is a data sharing agreement MOST likely to be needed? - ANS-When personal
data is being shared between commercial orgs acting as joint data controllers
An employee of company X has just noticed a memory stick containing records of client
data, including their names, addresses and full contact details has disappeared. The
data on the stick is unencrypted and in clear text. It is uncertain what has happened to
the stick as this stage, but it likely was lost during the travel of an employee. What
should the company do? - ANS-Notify as soon as possible the data protection
supervisory authority that a data breach may have taken place
The GDPR specifies fines that may be levied against data controllers for certain
infringements. Which of the following infringements would be subject to the less severe
administrative fine of up to 10 million Euros? - ANS-Failure to implement technical and
organisational measures to ensure data protection is enshrined by design and default
Why is it advisable to avoid consent as a legal basis for an employer to process
employee data? - ANS-Consent may not be valid if the employee feels compelled to
provide it
What is true about an employee who makes an access request to his employer for any
personal data held about him? - ANS-The employer must supply all the information held
about the employee unless there is an exemption
Discover which employees are accessing cloud services and from which devices and
apps
Lock down the data in those apps and devices
Monitor and analyse the apps and devices for compliance
Manage application life cycles
Monitor data sharing
An organisation should perform these steps to do which of the following? -
ANS-Maintain a secure BYOD program
