IAPP Study Questions with 100%
Correct Answers
What is not a characteristic of consent that must be achieved under the
GDPR? Correct Answer: Authorised
Who gives the European Parliament the power to approve legislation, along
with the Council of the European Union? Correct Answer: The Maastricht Treaty.
Signed 7th Feb 1992, effective 1st Nov 1993.
Do Canada, Uruguay and Andorra have adequacy decision? Correct Answer:
True
Within what time frame must a controller acknowledge a data subject access
request? Correct Answer: Within a reasonable period of time and no longer
than 30 days.
What must be present in a controllers records of processing, but not in those of a
processor? Correct Answer: Retention period and categories of personal data
being processed.
Under what circumstances is a controller or processor not obliged to maintain
records of data processing? Correct Answer: The organisation employs under
250 employees
What principles are the OECD Guidelines on the Protection of Privacy and
Transborder Data Flows of Personal Data? Correct Answer: Collection limitation,
purpose specification, use limitation, security safeguards, openness, individual
participation and accountability
, What criteria is not required when using a controllers legitimate interests as a
derogation for an international transfer? Correct Answer: The personal data
being transferred does not contain special category data.
What data is not protected by the GDPR? Correct Answer: Anonymous data
Which category of data subject would not be afforded rights under the GDPR?
Correct Answer: A deceased individual
What best describes Article 8 of the European Convention for Human Rights
Correct Answer: Individuals are entitled to keep their personal information
protected and private.
T/F: Personal data processed for the purposes of national security fall outside of
the material scope of the GDPR? Correct Answer: True
What is a suitable basis for processing payroll data of an employee Correct
Answer: Performance of a Contract
What is a suitable basis for processing special category data, as defined in
Article 9 of the GDPR. Correct Answer: Substantial public interest, for the
defence of a legal claim, for the purpose of scientific research carried out by
an EU establishment
Under what circumstances may a controller not process data once the data
subject has requested a restriction of processing? Correct Answer: for the
legitimate interests of the controller
T/F: The right to object to processing is an absolute right Correct Answer: False
Which of the following is not a corrective power of a supervisory authority?
Correct Answer: Not authorise high risk processing (identified through a DPIA)
Correct Answers
What is not a characteristic of consent that must be achieved under the
GDPR? Correct Answer: Authorised
Who gives the European Parliament the power to approve legislation, along
with the Council of the European Union? Correct Answer: The Maastricht Treaty.
Signed 7th Feb 1992, effective 1st Nov 1993.
Do Canada, Uruguay and Andorra have adequacy decision? Correct Answer:
True
Within what time frame must a controller acknowledge a data subject access
request? Correct Answer: Within a reasonable period of time and no longer
than 30 days.
What must be present in a controllers records of processing, but not in those of a
processor? Correct Answer: Retention period and categories of personal data
being processed.
Under what circumstances is a controller or processor not obliged to maintain
records of data processing? Correct Answer: The organisation employs under
250 employees
What principles are the OECD Guidelines on the Protection of Privacy and
Transborder Data Flows of Personal Data? Correct Answer: Collection limitation,
purpose specification, use limitation, security safeguards, openness, individual
participation and accountability
, What criteria is not required when using a controllers legitimate interests as a
derogation for an international transfer? Correct Answer: The personal data
being transferred does not contain special category data.
What data is not protected by the GDPR? Correct Answer: Anonymous data
Which category of data subject would not be afforded rights under the GDPR?
Correct Answer: A deceased individual
What best describes Article 8 of the European Convention for Human Rights
Correct Answer: Individuals are entitled to keep their personal information
protected and private.
T/F: Personal data processed for the purposes of national security fall outside of
the material scope of the GDPR? Correct Answer: True
What is a suitable basis for processing payroll data of an employee Correct
Answer: Performance of a Contract
What is a suitable basis for processing special category data, as defined in
Article 9 of the GDPR. Correct Answer: Substantial public interest, for the
defence of a legal claim, for the purpose of scientific research carried out by
an EU establishment
Under what circumstances may a controller not process data once the data
subject has requested a restriction of processing? Correct Answer: for the
legitimate interests of the controller
T/F: The right to object to processing is an absolute right Correct Answer: False
Which of the following is not a corrective power of a supervisory authority?
Correct Answer: Not authorise high risk processing (identified through a DPIA)
