1) While implementing certain data subject rights the controller is obliged by Article 19 to inform each third party recipient of the personal data. For which of the following rights does this apply? Restriction under Article 18 Rectification under Article 16 Erasure / "right to be forgotten" under Article 17 All of the above
2) Why is it advisable to avoid consent as a legal basis for an employer to process employee data? Employee data can only be processed if there is an approval from the data protection officer. Consent may not be valid if the employee feels compelled to provide it. An employer might have difficulty obtaining consent from every employee Data protection laws do not apply to processing of employee data.
3) Which of the following is NOT categorically one of the types of Privacy? Intellectual Privacy Information Privacy Bodily Privacy Territorial Privacy
4) Which of the following would require designating a data protection officer? Processing is carried out by an organization employing 250 persons or more. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU. The core activities of the controller or processor consist of processing operations of financial information or information relating to children. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
5) Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer? The group of undertakings must obtain approval from a supervisory authority. The group of undertakings must be comprised of organizations of similar sizes and functions. The data protection officer must be located in the country where the data controller has its main establishment. The data protection officer must be easily accessible from each establishment where the undertakings are located.
6) Which of the following controller/processing scenarios in principle CAN use the Public Interest legal basis? A vehicle licensing agency selling owner names and contact details to the private sector in exchange for money A company director credit checking agency republishing the contents of a Mandatory Public Register of directors which is already in the public domain publishing the names and addresses of directors on the internet A registered and regulated charity receiving information from any public sector body as part of a lawful Data Sharing Agreement None of the above
7) Which of the following BEST described the EU Data Protection Model? Co-Regulatory Comprehensive Self-Regulatory Sectorial
8) Which area of privacy is a lead supervisory authority's (SA) MAIN concern? Data subject rights Data access disputes Cross-border processing Special categories of data
9) Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology? Controllers must make best efforts to verify the consent. Controllers must make reasonable efforts to verify the consent. Controllers must make best efforts to request the consent in clear and plain language, in the context of the age of the child. Controllers must make reasonable efforts to request the consent in clear and plain language, in the context of the age of the child.
10) What permissions are required for a marketer to send an email marketing message to a consumer in the EU? A prior opt-in consent for consumers unless they are already customers. A pre-checked box stating that the consumer agrees to receive email marketing. A notice that the consumers email address will be used for marketing purposes. No prior permission required, but an opt-out requirement on all emails sent to consumers.
11) What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108? Both govern international transfers of personal data. Both only apply to European Union countries. Both only apply to European Union countries. Both require notification of processing activities to a supervisory authority.
12) What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller? The controller will be liable to pay an administrative fine. The processor will be liable to pay compensation to affected data subjects. The processor will be considered to be a controller in respect of the processing concerned. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved.
13) Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent? A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject. A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace. A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information. A journalist writing an article relating to the medical condition in question, who believes that the publication of such information is in the public interest.
14) What is the MAIN reason GDPR Article 4(22) establishes the concept of the concerned supervisory authority'? To encourage the consistency of local data processing activity. To give corporations a choice about who their supervisory authority will be. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state. To ensure that the interests of individuals residing outside the lead authority's jurisdiction are represented.
15) Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers? The European Commission can adopt an adequacy decision for individual companies. The European Commission can adopt, repeal or amend an existing adequacy decision. EU member states are vested with the power to accept or reject a European Commission adequacy decision. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
16) Under the GDPR in which of the following situations are there derogations, where each member state can make adjustment to their national laws. The default age at which a child can give consent. The usefulness of the Principle of fairness, lawfulness and transparency. The right to erasure. All of the above.
17) How does the GDPR now define processing'? Any act involving the collecting and recording of personal data. Any operation or set of operations performed on personal data or on sets of personal data. Any use or disclosure of personal data compatible with the purpose for which the data was collected. Any operation or set of operations performed by automated means on personal data or on sets of personal data.
18) Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if? The data subject already has information regarding how his data will be used. The provision of such information to the data subject would be too problematic. Third-party data would be disclosed by providing such information to the data subject. The processing of the data subject's data is protected by appropriate technical measures.
19) A mobile device application that uses cookies will be subject to the consent requirement of which of the following? The ePrivacy Directive. The E-Commerce Directive. The Data Retention Directive. The EU Cybersecurity Directive.
20) If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow? Background checks on employees could be performed only under prior notice to all employees. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe. Background checks on European employees will stem from data protection and employment law, which can vary between member states. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.
21) Assuming that the without undue delay' provision is followed, what is the time limit for complying with a data access request? Within 40 days of receipt. Within 40 days of receipt, which may be extended by up to 40 additional days. Within one month of receipt, which may be extended by up to an additional month. Within one month of receipt, which may be extended by an additional two months.
22) If a company is planning to use closed-circuit television (CCTV') on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT? Notify the appropriate data protection authority Perform a data protection impact assessment (DPIA) Create an information retention policy for those who operate the system. Ensure that safeguards are in place to prevent unauthorized access to the footage.
23) Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA? A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources. A company wants to combine location data with other data in order to offer more personalized service for the customer. A company wants to use location data to infer information on a person’s clothes purchasing habits. A company wants to use location data to track delivery trucks in order to make the routes more efficient.
24) In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules? When creating an untargeted pop-up ad on a website. When calling a potential customer to notify her of an upcoming product sale. When emailing a customer to announce that his recent order should arrive earlier than expected. When paying a search engine company to give prominence to certain products and services within specific search results.