1) According to the General Data Protection Regulation (GDPR), when does an organisation need to take action to legitimise cross-border data transfers of personal data? when the data is routed through another jurisdiction in or outside the European Union when the data is transferred from one jurisdiction in the European Union to another when the data is transferred from a jurisdiction outside the European Union to a member state of the European Union when the data is transferred from a jurisdiction in the European Union to a third country which is not deemed adequate
2) The GDPR and its predecessor, the Data Protection Directive 95/46/EC, were allowed to be set up as a harmonisation measure for European member states by which? Lisbon Treaty Treaty of Rome Council of Europe Convention European Convention on Human Rights
3) Which is an example of direct marketing? An email sent to an individual about an order she has placed for a book An email sent to an individual promoting a new book which is on sale A letter addressed to ‘the household’ about a charity bookstore An advertisement on a website promoting a new book which is on sale
4) The e-Privacy Directive 2002/58/EC contains which provision? Location data may be freely processed. Unsolicited commercial telephone calls, emails and faxes need opt-out consent. Corporate communication systems must have adequate security. Cookies require prior information and consent.
5) Which statement describes a European best practices approach to the protection of employment data held by an organisation? Employers should avoid all types of monitoring when collecting employee information within the workplace. Organisations should seek legal advice from a privacy lawyer before processing employee data. Employee data should not be processed without expressed, verbal permission by the employee. Employers should consult with regulatory bodies such as works councils about proposed data processing activity.
6) When should a controller notify the supervisory authority of a loss of personal information which is likely to result in harm to an individual? Within 72 hours after having become aware of it No later than 5 calendar days after the incident is identified Notice must be provided without unreasonable delay; no later than 30 days; law enforcement can delay notification There is no need to notify the supervisory authority of a loss of personal information
7) Under what condition may the processing ‘sensitive employee data’ be acceptable? The processing is necessary for the performance of a contract to which the individual is a party. The processing is necessary for the data controller to carry out their obligation in the field of employment law. The processing is necessary for the interest of both the data controller and the employee. The processing is necessary for the interests pursued by the data controller.
8) Why do Binding Corporate Rules (BCRs) prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services? Because BCRs only provide adequate safeguards for organisations who move data outside their corporation. Because BCRs secure transfers to third parties without additional requirements. Because BCRs only deal with intra-organisational transfers and not with transfers to third parties. Because BCRs require contractual arrangements to legitimize international transfers of data.
9) Along with the name and contact details of the data controller processing the personal data, what other information must be included in the records of processing to be maintained by the data controller under the GDPR? Retention period of each category of personal data, where possible. Reason(s) for processing the personal data. Third countries to which the information may be transferred. All of A, B and C.
10) Which statement is correct concerning the information to be provided when collecting personal data directly from the data subject? There is one mandated form for such information which sets out all information requirements. Data controllers are obliged to inform data subjects about the creation of copies of their personal data for backup reasons. The information needs to detail if the personal data will be passed to another organisation. An employer is not required to provide such information to its employees concerning the processing of their employment records.
11) Under the GDPR, would a European company be allowed to use video surveillance to monitor employee access to inventory? No, under the GDPR this is never allowed. No, video surveillance is too intrusive a solution. Yes, provided that certain conditions have been met. Yes, without any further conditions to be taken into account.
12) Which institution is responsible for ensuring that directives are implemented properly by the member states? European Court of Justice European Commission European Parliament European Data Protection Supervisor
13) What is true for a contract based on European Commission (EC) Standard Contractual Clauses with a processor outside the European Economic Area? For subcontracting, the processor must inform the controller and obtain written approval. Before the processing starts, the processor must provide proof of compliance with technical and organisational measures. The data subject must consent to processing by the processor. The processor must provide a compliance statement from its data protection authority.
14) Which type of data subject is NOT covered by the GDPR? Newborn Children. Persons under 18. Persons over 65. Deceased Individuals.
15) Which of the following is not covered in the 3-part test of the Legitimate Interest Assessment? The purpose test. The complexity test. The necessity test. The balancing test.
16) How is an employer obliged to proceed before engaging in the general monitoring of email traffic and internet use of all of its employees? The employer must provide a prior opt-out option. The employer must seek prior legal advice. The employer must provide prior notice. The employer must seek prior verbal consent.
17) Which is NOT a compatible purpose for processing data beyond the purpose originally specified at the time of collection? Performance of a contract. Transferring data to an archive. Statistical purposes. Historical or scientific research.
18) Along with legitimacy, what is another condition that must be met when carrying out employee monitoring? The monitoring must be in the public interest. The monitoring must be limited to what is necessary for the purposes. The monitoring must be under an employment contract. The monitoring must be held to time constraints.
19) Which is an example of cloud computing? A software package installed on a laptop. A web-based email platform. A portable mass storage device. A single web-server.
20) According to the GDPR, the right to data portability applies: When the processing was based on a public interest. When processing was originally based on the user’s consent. When the processing was done through ‘manual means’. When the processing was based on the controller’s legitimate interests.
21) The collection is part of a historical research initiative. Which is the most accurate statement concerning the obligations imposed by the GDPR? As a Regulation rather than a Directive, the GDPR sets forth binding provisions for EU member states to follow without discretion. The GDPR provides a framework which member states can choose to use as a basis for national legislation. As a Regulation rather than a Directive, the GDPR sets forth binding provisions for EU member states to follow but it leaves them discretion in some areas. The GDPR imposes binding obligations on all EU member states as well as on all countries deemed ‘adequate’ by the European Commission.
22) Messages sent to individuals to inform them about something such as the order they have placed. Messages sent to individuals to inform them about something such as the order they have placed. Messages sent to individuals to inform them about something such as an update to the company's privacy policy. Mailings send out to companies without contact persons being mentioned. All of the above.
23) Which, according to the GDPR, is NOT one of the considerations that should be taken into account to determine the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk? Costs of implementation. The state of the art. Scope of processing. The size of the organisation.
24) Which is NOT a special category of data? Political affiliation. Health information Ethnic origin. Social Security number.
25) Which institution has the power to adopt adequacy findings for the European Union? Working Party 29. European Commission European Data Protection Supervisor. European Court of Justice.
26) Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to send electronic marketing information? The recipients are existing customers. The controller is a non-profit organisation. The data subject and controller work in the same industry. The recipient’s email address is taken from a public register.
27) Which of the following is NOT one of the cases where Processors and Controllers must appoint a DPO? The processing is carried out by a public authority or body, except for courts acting in their judicial capacity. The processing is carried out by a controller or processor with over 250 employees and large scale of data, up to 5000 records. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. The core activities of the controller or the processor consist of processing on a large scale of special categories.
28) According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the approval of which two European Institutions? European Council and European Parliament. European Commission and European Parliament. European Parliament and Council of the European Union. European Commission and the Court of Justice of the European Union.
29) When would a data subject have the right to require the erasure of his or her data without undue delay? When erasure is in the public interest. When the controller is a public authority. When the processing is carried out by automated means. When the data is no longer necessary for its original purpose.
30) In which case should a data subject’s consent be regarded as freely given under the GDPR? If the data subject is able to withdraw consent without detriment. If the data subject is informed that opting out requires an affirmative action. If the data subject has been given a sufficient deadline for providing consent. If the data subject has been offered a consent agreement tailored to his situation.
31) Which of the following lists the attribute of security controls? Backup, Resilience, Availability, Integrity. Minimisation, Confidentiality, Integrity, Limitation. Confidentiality, Integrity, Availability, Resilience. None of the above.
32) Which of the following is a responsibility of the European Data Protection Board? Make available Model Contractual Clauses to Data Subjects. Provide the Union with the necessary impetus for its development and shall define the general political directions and priorities thereof. Ensure the consistent application of the EU GDPR across the EU. Exercise legislative functions over the Supervisory Authorities.
33) Which of the following is not part of the responsibilities of a Local Data Protection Supervisory Authority? Make decisions on the application of the EU GDPR, which are binding on those supervisory authorities. Handling complaints lodged by a data subject. Conducting investigations on the application of this Regulation. Promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.
34) Which of the following controller/processing scenarios in principle CAN use the Public Interest legal basis? A vehicle licensing agency selling owner names and contact details to the private sector in exchange for money. A company director credit checking agency republishing the contents of a Mandatory Public Register of directors which is already in the public domain publishing the names and addresses of directors on the internet. A registered and regulated charity receiving information from any public sector body as part of a lawful Data Sharing Agreement. None of the above.
35) Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology? Controllers must make best efforts to verify the consent. Controllers must make reasonable efforts to verify the consent. Controllers must make best efforts to request the consent in clear and plain language, in the context of the age of the child. Controllers must make reasonable efforts to request the consent in clear and plain language, in the context of the age of the child.
36) Under the GDPR in which of the following situations are there derogations, where each member state can make adjustment to their national laws. The default age at which a child can give consent. The usefulness of the Principle of fairness, lawfulness and transparency. The right to erasure. All of the above.
37) Which of the following is NOT categorically one of the types of Privacy? Intellectual Privacy Information Privacy Bodily Privacy Territorial Privacy
38) While implementing certain data subject rights the controller is obliged by Article 19 to inform each third party recipient of the personal data. For which of the following rights does this apply? Restriction under Article 18 Rectification under Article 16 Erasure / "right to be forgotten" under Article 17 All of the above
39) Which is an example of cloud computing? A software package installed on a laptop. A web-based email platform. A portable mass storage device. A single web-server.