iapp exam - 2024 Questions with
100% Correct Answers
Three characteristics of consent that must be achieved Correct Answer: Freely
given, distinguishable, specific
The Maastricht Treaty Correct Answer: Treaty giving the European Parliament
the power to approve legislation, along with the Council of the European Union
Countries with adequacy decision Correct Answer: Andorra, Argentina,
Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector),
Jersey, New Zealand, Switzerland, United Kingdom, United States (commercial
organisations) and Uruguay.
Time frame a Controller must acknowledge a subject access request Correct
Answer: Within a reasonable period of time and no longer than 30 days.
Must be present in a controller's records of processing, but not in those of a
processor Correct Answer: Retention period, categories of personal data being
processed,
Circumstances a controller or processor is not obliged to maintain records of
data processing Correct Answer: The organisation employs under 250
employees
Principles of the OECD Guidelines on the Protection of Privacy and Transborder
Data Flows of Personal Data Correct Answer: Collection Limitation, Data Quality,
Purpose Specification, Use Limitation, Security Safeguards, Openness and
Individual Participation.
Criteria required when using a Controller's legitimate interests as a derogation
for an international transfer. Correct Answer: The processing is non-repetitive, the
,data subject is informed of the risk and the transfer has suitable safeguards in
place to protect the fundamental freedoms of the data subject
A controller-processor contract must always contain Correct Answer: Duration
and nature of the processing
Data that is not protected by the GDPR Correct Answer: Anonymous data
Category of data subject not afforded rights under the GDPR Correct Answer: A
deceased individual
Description of Article 8 of the European Convention for Human Rights Correct
Answer: Individuals are entitled to keep their personal information protected
and private
An example most likely to be caught by the territorial scope of the GDPR
Correct Answer: A company based in Australia selling locally, whilst providing
customers in the UK the opportunity to buy goods in GBP
T/F Personal data processed for the purposes of national security fall outside the
material scope of the GDPR Correct Answer: True
Suitable basis for processing the payroll data of an employee Correct Answer:
Performance of a contract
A suitable basis for processing special category data defined in Article 9 Correct
Answer: Substantial public interest, for the defence of a legal claim and for the
purpose of scientific research carried out by an EU establishment
Information required in all fair processing notices under the GDPR Correct
Answer: name and contact details, purpose, lawful basis, categories of personal
data, recipients or categories of recipients, retention period, rights available
and right to lodge a complaint
, Circumstances a fair processing notice isn't provided to data subjects when
data has been indirectly collected by the controller Correct Answer: the
provision of the information would require disproportionate effort from the
controller, member state law requires the processing remains a secret, the
processing is prescribed by EU Law which provides suitable safeguards to
protect the individuals interests.
What a data subject is not entitled to when making a request under the right of
access Correct Answer: a description of the technical and organisational
measures the controller has implemented to protect the data subjects personal
data
What a controller should do under the right of rectification Correct Answer: add
a note to the system stating accuracy was contested
circumstances a controller may not process data once a data subject has
requested a restriction of processing Correct Answer: legitimate interests of the
controller
suitable methods to restrict the processing of personal data Correct Answer:
restrict access, note the restriction and move the data to another database
T/F the right to object to processing is an absolute right Correct Answer: False
Circumstances under which a data subject can object to processing carried
out by a controller Correct Answer: processing for a purpose in the public
interest, legitimate interest and statistical purposes carried out by the controller
age at which parental consent is no longer required Correct Answer: 16
exception to the prohibition of processing of special category data Correct
Answer: purposes of substantial public interest
100% Correct Answers
Three characteristics of consent that must be achieved Correct Answer: Freely
given, distinguishable, specific
The Maastricht Treaty Correct Answer: Treaty giving the European Parliament
the power to approve legislation, along with the Council of the European Union
Countries with adequacy decision Correct Answer: Andorra, Argentina,
Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector),
Jersey, New Zealand, Switzerland, United Kingdom, United States (commercial
organisations) and Uruguay.
Time frame a Controller must acknowledge a subject access request Correct
Answer: Within a reasonable period of time and no longer than 30 days.
Must be present in a controller's records of processing, but not in those of a
processor Correct Answer: Retention period, categories of personal data being
processed,
Circumstances a controller or processor is not obliged to maintain records of
data processing Correct Answer: The organisation employs under 250
employees
Principles of the OECD Guidelines on the Protection of Privacy and Transborder
Data Flows of Personal Data Correct Answer: Collection Limitation, Data Quality,
Purpose Specification, Use Limitation, Security Safeguards, Openness and
Individual Participation.
Criteria required when using a Controller's legitimate interests as a derogation
for an international transfer. Correct Answer: The processing is non-repetitive, the
,data subject is informed of the risk and the transfer has suitable safeguards in
place to protect the fundamental freedoms of the data subject
A controller-processor contract must always contain Correct Answer: Duration
and nature of the processing
Data that is not protected by the GDPR Correct Answer: Anonymous data
Category of data subject not afforded rights under the GDPR Correct Answer: A
deceased individual
Description of Article 8 of the European Convention for Human Rights Correct
Answer: Individuals are entitled to keep their personal information protected
and private
An example most likely to be caught by the territorial scope of the GDPR
Correct Answer: A company based in Australia selling locally, whilst providing
customers in the UK the opportunity to buy goods in GBP
T/F Personal data processed for the purposes of national security fall outside the
material scope of the GDPR Correct Answer: True
Suitable basis for processing the payroll data of an employee Correct Answer:
Performance of a contract
A suitable basis for processing special category data defined in Article 9 Correct
Answer: Substantial public interest, for the defence of a legal claim and for the
purpose of scientific research carried out by an EU establishment
Information required in all fair processing notices under the GDPR Correct
Answer: name and contact details, purpose, lawful basis, categories of personal
data, recipients or categories of recipients, retention period, rights available
and right to lodge a complaint
, Circumstances a fair processing notice isn't provided to data subjects when
data has been indirectly collected by the controller Correct Answer: the
provision of the information would require disproportionate effort from the
controller, member state law requires the processing remains a secret, the
processing is prescribed by EU Law which provides suitable safeguards to
protect the individuals interests.
What a data subject is not entitled to when making a request under the right of
access Correct Answer: a description of the technical and organisational
measures the controller has implemented to protect the data subjects personal
data
What a controller should do under the right of rectification Correct Answer: add
a note to the system stating accuracy was contested
circumstances a controller may not process data once a data subject has
requested a restriction of processing Correct Answer: legitimate interests of the
controller
suitable methods to restrict the processing of personal data Correct Answer:
restrict access, note the restriction and move the data to another database
T/F the right to object to processing is an absolute right Correct Answer: False
Circumstances under which a data subject can object to processing carried
out by a controller Correct Answer: processing for a purpose in the public
interest, legitimate interest and statistical purposes carried out by the controller
age at which parental consent is no longer required Correct Answer: 16
exception to the prohibition of processing of special category data Correct
Answer: purposes of substantial public interest
