0% found this document useful (0 votes)

1K views155 pages

CIPPE Exam Question Bank V1.0

Uploaded by

Ektajn

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1K views155 pages

CIPPE Exam Question Bank V1.0

Uploaded by

Ektajn

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 155

Certified Information Privacy Professional/ Europe (CIPP/E) Exam Question Bank

Version History

Created Date No. Of Questions Last Reviewed on Version No.

09/01/2022 226 10/01/2022 1.0
Note:
All the questions have been answered with utmost care and due diligence. However, a few questions might
have different interpretations/ incomplete information as the questions were identified from the web.
In case of any concerns/ doubts please reach out to your trainer.
QUESTION1:

An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is
measured manually and is not followed by registration, documentation or other processing of an individual’s
personal data.

Which of the following best explains why this practice would NOT be subject to the GDPR?

A. Body temperature is not considered personal data.

B. The practice does not involve completion by automated means.
C. Body temperature is considered pseudonymous data.
D. The practice is for the purpose of alleviating extreme risks to public health.

ANSWER: B

Explanation:

QUESTION 2:
SCENARIO
Please use the following to answer the next question:

High Park Hotel Chain and Epic Vacations Travel Agency are U.S.-based multinational companies. They use an
Internet-based common platform for collecting and sharing their customer data with each other, in order to
integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked
and confirmed, and who has access to the stored data.

John, an EU resident, has booked travel itineraries in the past through Epic Vacations Travel Agency to stay at
High Park Hotel Chain’s locations. Epic Vacations Travel Agency offers a rewards program that allows customers
to sign up to accumulate points that can later be redeemed for free travel. John has signed the agreement to be a
rewards program member. Now John wants to know what personal information the company holds about him.
He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

In which of the following situations would High Park Hotel Chain and Epic Vacations Travel Agency NOT have
to honor John’s data access request?
A. The request is to obtain access and correct inaccurate personal data in his profile. The request is to obtain access
and information about the purpose of processing his personal data.
B. The request is to obtain access and erasure of his personal data while keeping his rewards membership.
C. The request is to obtain access and the categories of recipients who have received his personal data to process his
rewards membership.

ANSWER: B

Explanation: According to article 15(c) - the recipients or categories of recipient to whom the personal data have
been or will be disclosed is covered as right to data subject access request.

QUESTION 3:

Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from
directly providing information about processing to the data subject if?

A. The data subject already has information regarding how his data will be used
B. The provision of such information to the data subject would be too problematic
C. Third-party data would be disclosed by providing such information to the data subject
D. The processing of the data subject’s data is protected by appropriate technical measures

ANSWER: A

Explanation: According to Article 14(5a) - the data subject already has the information.

QUESTION 4:

What should a controller do after a data subject opts out of a direct marketing activity?

A. Without exception, securely delete all personal data relating to the data subject.
B. Without undue delay, provide information to the data subject on the action that will be taken.
C. Refrain from processing personal data relating to the data subject for the relevant type of communication.
D. Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and
no longer processed.
ANSWER: C

Explanation: According to article 21(3) & (4) of GDPR- Where the data subject objects to processing for direct
marketing purposes, the personal data shall no longer be processed for such purposes.

QUESTION 5:
SCENARIO
Please use the following to answer the next question:

Big Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States,
Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a
phishing attack that resulted in a significant data breach. The executive board, in coordination with the general
manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures.
These included training awareness programs, a cybersecurity audit, and use of a new software tool called
SecurityAudit, which scans employees’ computers to see if they have software that is no longer being supported
by a vendor and therefore not getting security updates. However, this software also provides other features,
including the monitoring of employees’ computers. Since these measures would potentially impact employees,
Big Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will
implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the
Security team on how to use SecurityAudit to monitor employees’ computers activity and their location. During
these activities, the Information Security team discovered that one employee from Italy was daily connecting to
a video library of movies, and another one from Germany worked remotely without authorization. The Security
team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded
that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both
employees, since the security and privacy policy of the company prohibited employees from installing software
on the company’s computers, and from working remotely without authorization.

To comply with the GDPR, what should Big Block have done as a first step before implementing the Security
Audit measure?

A. Assessed potential privacy risks by conducting a data protection impact assessment.

B. Consulted with the relevant data protection authority about potential privacy violations.
C. Distributed a more comprehensive notice to employees and received their express consent.
D. Consulted with the Information Security team to weigh security measures against possible server impacts.

ANSWER: A
Explanation: According to article 35 of GDPR- The controller shall, prior to the processing, carry out an
assessment of the impact of the envisaged processing operations on the protection of personal data.

QUESTION 6:

A well-known video production company, based in Spain but specializing in documentaries filmed worldwide,
has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what
condition would the company NOT be required to obtain the consent of everyone whose image they use for their
documentary?

A. If obtaining consent is deemed to involve disproportionate effort.

B. If obtaining consent is deemed voluntary by local legislation.

C. If the company limits the footage to data subjects solely of legal age.
D. If the company’s status as a documentary provider allows it to claim legitimate interest.

ANSWER: B
Explanation: Local DPA’s have the authority to issue specific guidelines/regulations in line with GDPR and If
obtaining consent is deemed voluntary by local legislation the company need not obtain consent.

QUESTION 7:

When is data sharing agreement MOST likely to be needed?

A. When anonymized data is being shared.

B. When personal data is being shared between commercial organizations acting as joint data controllers.
C. When personal data is being proactively shared by a controller to support a police investigation.
D. When personal data is being shared with a public authority with powers to require the personal data to be
disclosed.
ANSWER: B
Explanation: According to article 24 & 26 of GDPR- the controller shall implement appropriate technical and
organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with
this Regulation.

QUESTION 8:

How is the retention of communications traffic data for law enforcement purposes addressed by European data
protection law?

A. The ePrivacy Directive allows individual EU member states to engage in such data retention.
B. The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.
C. The Data Retention Directive’s annulment makes such data retention now permissible.
D. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal
offences only.

ANSWER: D
1. Explanation: According to article 23 (d) of GDPR- the prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties, including the safeguarding against and the
prevention of threats to public security.

QUESTION 9:

As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines outside the
EEA are also likely to be subject to the Regulation’s right to be forgotten. This holds true if the activities of an
EU subsidiary and its U.S. parent are what?

A. Supervised by the same Data Protection Officer.

B. Consistent with Privacy Shield requirements
C. Bound by a standard contractual clause.
D. Inextricably linked in their businesses.

ANSWER: D
Explanation: In its judgement in Google Spain the Court of Justice of the European Union ('CJEU') found that the
processing of personal data in question by the search engine operated by Google Inc., a US-based controller, was
'inextricably linked to', and therefore was carried out 'in the context of the activities' of Google's establishment in
Spain.

QUESTION 10:
What is true if an employee makes an access request to his employer for any personal data held about him?

A. The employer can automatically decline the request if it contains personal data about a third person.
B. The employer can decline the request if the information is only held electronically.
C. The employer must supply all the information held about the employee.
D. The employer must supply any information held about an employee unless an exemption applies.

ANSWER: D
Explanation: According to article 88 of GDPR- Processing in the context of employment is given.

QUESTION 11:
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A. A prior opt-in consent for consumers unless they are already customers.
B. A pre-checked box stating that the consumer agrees to receive email marketing.
C. A notice that the consumer’s email address will be used for marketing purposes.
D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

ANSWER: A
Explanation: Consent in email marketing requires an opt-in from the consumer.

QUESTION 12:
SCENARIO
Please use the following to answer the next question:

HighPark Hotel Chain and Epic VacationsTravel Agency are U.S.-based multinational companies. They use an
Internet-based common platform for collecting and sharing their customer data with each other, in order to
integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked
and confirmed, and who has access to the stored data.

Now John wants to know what personal information the company holds about him. He sends an email requesting
access to his data, in order to exercise what he believes are his data subject rights.

What are HighPark Hotel Chain and Epic Vacations Travel Agency’s roles in this relationship?

A. HighPark Hotel Chain is the controller and Epic Vacations Travel Agency is the processor.
B. Epic Vacations Travel Agency is the controller and HighPark Hotel Chain is the processor.
C. HighPark Hotel Chain and Epic Vacations Travel Agency are independent controllers.
D. HighPark Hotel Chain and Epic Vacations Travel Agency are joint controllers.

ANSWER: D
Explanation: According to article 26(1) of GDPR- Where two or more controllers jointly determine the purposes
and means of processing, they shall be joint controllers.

QUESTION 13:
SCENARIO
Please use the following to answer the next question

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen.
The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its
new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing
in determining pricing for natural products. BHealthy decided to share its existing customer information – name,
location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train
its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and
concluded that the company has sufficient security measures to protect the contact information. Additionally,
BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical
and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy
for any purpose beyond provision of the services, which include use of the data for continued improvement of
Natural Insight’s machine learning algorithms.

Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it
received from BHealthy?

A. Appropriate security that takes into account the industry practices for protecting customer contact information
and purchase history.
B. Only the security measures assessed by BHealthy prior to entering into the data processing contract.
C. Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.
D. The level of security that a reasonable data subject whose data is processed would expect in relation to the data
subject’s purchase history.

ANSWER: A

According to the article 28 (c) of GDPR- controller takes all measures required pursuant to Article 32.

QUESTION 14:

Which of the following would require designating a data protection officer?

A. Processing is carried out by an organization employing 250 persons or more.

B. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.

C. The core activities of the controller or processor consist of processing operations of financial information or
information relating to children.

D. The core activities of the controller or processor consist of processing operations that require systematic
monitoring of data subjects on a large scale

ANSWER: D
1. Explanation: According to article 37(b) of GDPR- it's mentioned that, the core activities of the controller
or the processor consist of processing operations which, by virtue of their nature, their scope and/or their
purposes, require regular and systematic monitoring of data subjects on a large scale.

QUESTION 15:
Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of
its employees to the national tax authority?

A. The consent of the employees.

B. The legal obligation of the employer.
C. The legitimate interest of the public administration.
D. The protection of the vital interest of the employees.

ANSWER: B

Explanation: According to article 6(c) of GDPR- processing is necessary for compliance with a legal obligation to
which the controller is subject.

QUESTION: 16

The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

A. Choose the data protection officer that is most sympathetic to their business concerns.
B. Designate their main establishment in a member state with the most flexible practices.
C. File appeals of infringement judgments with more than one EU institution simultaneously.
D. Select third-party processors on the basis of cost rather than quality of privacy protection.

ANSWER: B

Explanation: The GDPR seeks to prevent forum shopping by harmonizing and standardizing the standards across
the European Union.

QUESTION: 17

Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their
personal data?

A. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
B. The name/s of relevant government agencies involved and the steps needed for revising the data.
C. The identity and contact details of the controller and the reasons the data is being collected.
D. The contact information of the controller and a description of the retention policy.

ANSWER: C

Explanation: According to article 14(1) (a) of GDPR- the identity and the contact details of the controller and,
where applicable, of the controller’s representative.

QUESTION: 18

What is the most frequently used mechanism for legitimizing cross-border data transfer?

A. Standard Contractual Clauses.

B. Approved Code of Conduct.
C. Binding Corporate Rules.
D. Derogations.

ANSWER: A

Explanation: According to article 46(2) (d) of GDPR- A controller or processor may transfer personal data to a
third country or an international organization only if the controller or processor has provided appropriate
safeguards, such as, (SCC)standard data protection clauses adopted by a supervisory authority and approved by
the Commission pursuant to the examination procedure referred to in Article 93(2).

QUESTION: 19

SCENARIO

Please use the following to answer the next question

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is
headquartered in Montreal, and all of its employees are located there. The company offers its services to
Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet
traffic from outside of Canada (although this solution doesn’t prevent all nonCanadian traffic). It also declines to
process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-
Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is
exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian
customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He
suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes
to use push notifications and text messages to encourage existing customers to pre-register for an EU version of
the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it
will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like
storage and sharing of DNA information with other applications and medical providers. The company’s contract
says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers.
It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests
that the company should fully exploit these provisions, and that it can work around customers’ attempts to
withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the
process of purchasing the naming rights for a building in Germany, which would come with a few offices that
Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or
infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA
reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name,
birthdate, ethnicity, and racial background, names of relatives, gender, and occasionally health information.

If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

A. Get consent from the app users.

B. Provide a transparent notice to users.
C. Anonymize the data and add latency so it avoids disclosing real time locations.
D. Obtain a court order because location data is a special category of personal data

ANSWER: A
Explanation: According to article 6 & 7 of GDPR- the data subject has given consent to the processing of his or
her personal data for one or more specific purposes. Where processing is based on consent, the controller shall be
able to demonstrate that the data subject has consented to processing of his or her personal data.

QUESTION 20:

Which of the following entities would most likely be exempt from complying with the GDPR?

A. A South American company that regularly collects European customers’ personal data.
B. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member
state.
C. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European
customer

D. North American company servicing customers in South Africa that uses a cloud storage system made by a
European company

ANSWER: D

QUESTION: 21

What term BEST describes the European model for data protection?

A. Sectoral
B. Self-regulatory
C. Market-based
D. Comprehensive

ANSWER: D

QUESTION: 22

According to the GDPR, how is pseudonymous personal data defined?

A. Data that can no longer be attributed to a specific data subject without the use of additional information kept
separately.
B. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
C. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
D. Data that has been encrypted or is subject to other technical safeguards.

ANSWER: A
1. Explanation: According to article 4(5) of GDPR- ‘pseudonymisation’ means the processing of personal
data in such a manner that the personal data can no longer be attributed to a specific data subject without
the use of additional information, provided that such additional information is kept separately and is subject
to technical and organisational measures to ensure that the personal data are not attributed to an identified
or identifiable natural person.

QUESTION: 23

SCENARIO
Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in
Europe. Anxious to achieve market dominance, Liem teamed up with another eco-friendly company, EcoMick,
which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns
designed to highlight the environmental and economic benefits of their products. After months of planning, Liem
and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the
campaigns to their respective contacts Liem and EcoMick also entered into a data processing agreement with
MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and
making available to them all information necessary to demonstrate compliance with GDPR obligations.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact
information as well as prior purchase history for such contacts, to create campaigns that would result in the most
views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from
JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms.

Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped
EcoMick, nor provided her personal data to that company.

Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions
EXCEPT?

A. Processing the personal data upon documented instructions regarding data transfers outside of the EEA
B. Notification regarding third party requests for access to Liem and EcoMick’s personal data.
C. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
D. Returning or deleting personal data after the end of the provision of the services.

ANSWER: A

QUESTION: 24

What is the key difference between the European Council and the Council of the European Union?

A. The Council of the European Union is helmed by a president.

B. The Council of the European Union has a degree of legislative power.
C. The European Council focuses primarily on issues involving human rights.

D. The European Council is composed of the heads of each EU member state.

ANSWER: D
Explanation:
• The European Council: All EU heads of state or government meet to make political decisions.
• Council of the European Union: Members of the European Union Council are government ministers
from all member states.

QUESTION: 25

A company is located in a country NOT considered by the European Union (EU) to have an adequate level of
data protection. Which of the following is an obligation of the company if it imports personal data from another
organization in the European Economic Area (EEA) under standard contractual clauses?

A. Submit the contract to its own government authority.

B. Ensure that notice is given to and consent is obtained from data subjects.
C. Supply any information requested by a data protection authority (DPA) within 30 days.
D. Ensure that local laws do not impede the company from meeting its contractual obligations.

ANSWER: D

Explanation:

QUESTION: 26

SCENARIO

Please use the following to answer the next question

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago.
Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering
to help him recover compensation for personal injury. Louis has heard about insurance companies selling
customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from
Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him
their full range of their insurance policies. Perturbed by this, Louis has started looking at price comparison sites
on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even
though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides
to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No
Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask
Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop
using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims
Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock
also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for
marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis
when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned
subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his
accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract
included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his
information be erased from their computer system.

Based on the GDPR’s position on the use of personal data for direct marketing purposes, which of the following
is true about Louis’s rights as a data subject?

A. Louis does not have the right to object to the use of his data because he previously consented to it.
B. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
C. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of
exercising a legal claim.
D. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate
grounds for the processing.
ANSWER: C

QUESTION: 27

SCENARIO
Please use the following to answer the next question:

Due to its rapidly expanding workforce, Company A has decided to outsource its payroll function to Company
B.

Company B is an established payroll service provider with a sizable client base and a solid reputation in the
industry.

Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a
biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data
itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service.
Company B’s live systems will contain the following information for each of Company A’s employees:
● Name
● Address
● Date of Birth
● Payroll Number
● National Insurance Number
● Sick Pay Entitlement
● Maternity/Paternity Pay Entitlement
● Holiday Entitlement
● Pension and Benefits Contributions
● Trade Union Contributions

Jenny is the compliance officer at Company

A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the
new time and attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company
B to use the time and attendance data only for the purpose of providing the payroll service, and to apply
appropriate technical and organizational security measures for safeguarding the data.
Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO
but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into
the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to
enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all
personal data from Company B’s live systems in order to create a new database for Company B

This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree
not to include any data processing provisions in their services agreement, as data is only being used for IT testing
purposes. Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and
suffers a cyber-security incident soon after Company C begins work on the project. As a result, data relating to
Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until
Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon
as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and
organizational measures. What would be the most realistic way that Company B could have fulfilled this
requirement?

A. Hiring companies whose measures are consistent with recommendations of accrediting bodies
B. Requesting advice and technical support from Company A’s IT Team
C. Avoiding the use of another company’s data to improve their own services.
D. Vetting companies’ measures with the appropriate supervisory authority.

ANSWER: A

QUESTION: 28

SCENARIO
Please use the following to answer the next question:

WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its
website through a company in Switzerland. As part of their service, WonderKids will pass all personal data
provided to them to the childcare provider booked through their system. The type of personal data collected on
the website includes the name of the person booking the childcare, address and contact details, as well as
information about the children to be cared for including name, age, gender and health information. The privacy
statement on Wonderkids’ website states the following: “WonderkKids provides the information you disclose to
us through this website to your childcare provider for scheduling and health and safety reasons. We may also use
your and your child’s personal information for our own legitimate business purposes and we employ a third-party
website hosting company located in Switzerland to store the data. Any data stored on equipment located in
Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your
child’s personal information. We will only share you and your child’s personal information with businesses that
we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated
businesses and to send you promotional offers.”

“We may retain you and your child’s personal information for no more than 28 days, at which point the data will
be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28
days where it may be retained for up to 2 years.”

“We are processing you and your child’s personal information with your consent. If you choose not to provide
certain information to us, you may not be able to use our services. You have the right to request access to you and
your child’s personal information; rectify or erase you or your child’s personal information; the right to correction
or erasure of you and/or your child’s personal information; object to any processing of you and your child’s
personal information. You also have the right to complain to the supervisory authority about our data processing
activities.”

What must the contract between WonderKids and the hosting service provider contain?

A. The requirement to implement technical and organizational measures to protect the data.
B. Controller-to-controller model contract clauses.
C. Audit rights for the data subjects.
D. A non-disclosure agreement.

ANSWER: A
1. Explanation: According to article 28 of GDPR- Where processing is to be carried out on behalf of a
controller, the controller shall use only processors providing sufficient guarantees to implement appropriate
technical and organizational measures in such a manner that processing will meet the requirements of this
Regulation and ensure the protection of the rights of the data subject.
QUESTION 29:

Under Article 58 of the GDPR, which of the following describes the power of supervisory authorities in European
Union (EU) member states?

A. The ability to enact new laws by executive order.

B. The right to access data for investigative purposes.
C. The discretion to carry out goals of elected officials within the member state.
D. The authority to select penalties when a controller is found guilty in a court of law.

ANSWER: B
1. Explanation: According to article 58 of GDPR- Each supervisory authority shall have investigative powers
as mentioned in article.

QUESTION: 30

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of
the following?

A. The Court of Justice of the European Union.

B. The European Data Protection Supervisor.
C. The European Court of Human Rights.
D. The European Data Protection Board.

ANSWER: A
1. Explanation: As per Recital 143- In the context of judicial remedies relating to the application of this
Regulation, national courts which consider a decision on the question necessary to enable them to give
judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give
a preliminary ruling on the interpretation of Union law, including this Regulation.

QUESTION: 31

SCENARIO
Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls,
action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the
manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has
entered into a number of local distribution contracts. The toys produced by the company can be found in all
popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is
due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children.
The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The
figures can answer children’s questions on various subjects, such as mathematical calculations or the weather.
Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth.
Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also
be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play
experience. When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is
generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of
the toy does not provide technical details on how this works, nor does it mention that this feature requires an
internet connection. The necessary data processing for this has been outsourced to a data center located in South
Africa. However, your company has not yet revised its consumer- facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play
the characters they acquire in the course of playing the game. The system will come bundled with a portal that
includes a Near- Field Communications (NFC) reader. This device will read an RFID tag in the action figure,
making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also
possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to
the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to
locations outside of the home and have the character’s abilities remain intact.

To ensure GDPR compliance, what should be the company’s position on the issue of consent?

A. Written authorization attesting to the responsible use of children’s data would need to be obtained from the
supervisory authority.
B. The Child, as the user of the action figure, can provide consent himself, as long as no information is shared for
marketing purposes.
C. Consent for data collection is implied through the parent’s purchase of the action figure for the child.
D. Parental consent for a child’s use of the action figures would have to be obtained before any data could be
collected.

ANSWER: D

Explanation: According to article 8 of GDPR- Conditions applicable to child's consent in relation to information
society services.

QUESTION: 32

SCENARIO
Please use the following to answer the next question:

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany
continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible
for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a
renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research,
Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its
first campaign targeted university students in several European capitals, which yielded nearly 40% new customers
for T-Craze in one quarter.
Right Target also ran subsequent campaigns for T-Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests,
including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia,
a mid-career investment banker. Sofia was upset after receiving a marketing communication even after
unsubscribing from such communications from the Right Target on behalf of TCraze.

Which of the following is T-Craze’s lead supervisory authority?

A. Germany, because that is where T-Craze is headquartered.
B. France, because that is where T-Craze conducts processing of personal information.
C. Spain, because that is T-Craze’s primary market based on its marketing campaigns.
D. T- Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence
in several European countries,

ANSWER: B
According to article 4(21) of GDPR- ‘supervisory authority’ means an independent public authority which is
established by a Member State pursuant to Article 51.

QUESTION: 33

SCENARIO
Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new
manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research,
he meets with a sales representative from the up-and-coming IT Company Techiva, hoping that they can design
a new, cutting-edge website for TripBliss Inc.’s founding business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through
detailed questionnaires, which could be used to tailor their preferences to specific travel destinations. TripBliss
Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish
their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach
is, especially since the questionnaires will require customers to provide explicit consent to having their data
collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic,
in order to get a better understanding of how customers are using it. He explains his plan to place a number of
cookies on customer devices. The cookies will allow the company to collect IP addresses and other information,
such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and
which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze
by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the
website’s effectiveness. Oliver enthusiastically engages Techiva for these services. Techiva assigns the analytics
portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given
administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it.
Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction
with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands
of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following
plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention
to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences
a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from
the USB stick and inform his manager that the company’s system of access control must be reconsidered.

After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?

A. They must report it to TripBliss Inc.

B. They must conduct a full systems audit.
C. They must report it to the supervisory authority.
D. They must inform customers who have used the website.

ANSWER: B

QUESTION: 34

Read the following steps:

● Discover which employees are accessing cloud services and form which devices and apps
● Lock down the data in those apps and devices
● Monitor and analyse the apps and devices for compliance
● Manage application life cycles
● Monitor Data Sharing

An organization should perform these steps to do which of the following?

A. Pursue a GDPR-compliant Privacy by Design process.

B. Institute a GDPR-compliant employee monitoring process.
C. Maintain a secure Bring Your Own Device (BYOD) program.
D. Ensure cloud vendors are complying with internal data use policies.

ANSWER: C
1. Explanation: According to Art.5.1. (f) of the GDPR requires personal data to be processed in a manner that
ensures appropriate security, including protection against unauthorized or unlawful processing and
accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity
and confidentiality'). Article 32 also requires controllers to safeguard personal data security, availability,
and secrecy, which data protection and information security share.

QUESTION: 35

In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required
conditions are met?

A. Approved data controllers.

B. The Council of the European Union.
C. National data protection authorities.
D. The European Data Protection Supervisor.

ANSWER: C

Explanation:

QUESTION: 36

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a
data subject’s sensitive medical information without the data subject’s knowledge or consent?

A. A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the
health of the data subject.

B. A public authority responsible for public health, where the sharing of such information is considered necessary
for the protection of the general populace.

C. A health professional involved in the medical care for the data subject, where the data subject’s life hinges on the
timely dissemination of such information.

D. A journalist writing an article relating to the medical condition in question, who believes that the publication of
such information is in the public interest
ANSWER: D
1. Explanation: According to article 9 (g) of GDPR- processing is necessary for reasons of substantial public
interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect
the essence of the right to data protection and provide for suitable and specific measures to safeguard the
fundamental rights and the interests of the data subject;

QUESTION: 37

SCENARIO
Please use the following to answer the next question:

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included
processing personal data only upon Liem and EcoMick’s instructions, and making available to them all
information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that
uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal
data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data,
JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to
continually improve its machine learning models by analyzing the data it receives from its clients to determine
the most successful components of a successful campaign. JaphSoft then uses such models in providing services
to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft
does not have a deletion process for the data it receives from clients. However, to ensure compliance with data
privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact
information. JaphSoft’s engineers, however, maintain all contact information in the same database as the
identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact
information as well as prior purchase history for such contacts, to create campaigns that would result in the most
views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from
JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive
information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal
data to that company.

JaphSoft’s use of pseudonymization is NOT in compliance with the GDPR because?

A. JaphSoft failed to first anonymize the personal data.

B. JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
C. JaphSoft was in possession of information that could be used to identify data subjects.
D. JaphSoft failed to keep personally identifiable information in a separate database.

ANSWER: B

QUESTION: 38

An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the
entity is required to provide users with notices containing information and consent under which of the following
frameworks?

A. General Data Protection Regulation 2016/679.

B. E-Privacy Directive 2002/58/EC.
C. E-Commerce Directive 2000/31/EC
D. Data Protection Directive 95/46/EC.

ANSWER: B

Explanation:

QUESTION: 39
Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?

A. When an individual has not consented to the marketing.

B. When an individual’s details are obtained from their inquiries about buying a product.
C. Where an individual’s details have been obtained from a bought-in marketing list.
D. Where an individual is given the ability to unsubscribe from marketing emails sent to him.

ANSWER: B
1. Explanation: Soft opt-in is occasionally used to characterize the rule for existing clients. The premise is that if
a customer just purchased something from you, provided their contact information, and did not opt out of
receiving marketing messages.

QUESTION: 40

SCENARIO
Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United
States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim
of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general
manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures.
These included training awareness programs, a cybersecurity audit, and use of a new software tool called
SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported
by a vendor and therefore not getting security updates. However, this software also provides other features,
including the monitoring of employees’ computers.

Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a
general notice to all employees indicating that the company will implement a series of initiatives to enhance
information security and prevent future data breaches.

In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their
privacy rights, what information should Building Block have provided them before implementing the security
measures?

A. Information about what is specified in the employment contract.

B. Information about who employees should contact with any queries.
C. Information about how providing consent could affect them as employees.
D. Information about how the measures is in the best interests of the company.

ANSWER: D
Explanation: The employees were not appropriately informed about the consequences the new security measures
which should have been provided to them before implementing the security measures.

QUESTION: 41

What must be included in a written agreement between the controller and processor in relation to processing
conducted on the controller’s behalf?

A. An obligation on the processor to report any personal data breach to the controller within 72 hours.
B. An obligation on both parties to report any serious personal data breach to the supervisory authority.
C. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a
personal data breach.
D. An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the
supervisory authority about personal data breaches

ANSWER: D
1. Explanation: According to article 33(1) & (2) of GDPR- In the case of a personal data breach, the controller
shall without undue delay and, where feasible, not later than 72 hours after having become aware of it,
notify the personal data breach to the supervisory authority competent in accordance with Article 55.
QUESTION: 42

SCENARIO
Please use the following to answer the next question:

Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately
650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer,
who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy
legislation.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new
mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing
their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to
carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b)
where the results of this assessment indicate a high risk in the absence of appropriate protection measures,
Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before
implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority
and having to disclose details of Zandelay’s business plan and associated processing activities

What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

A. Information about DPIAs found in Articles 38 through 40 of the GDPR.

B. Data breach documentation that data controllers are required to maintain.
C. Existing DPIA guides published by local supervisory authorities.
D. Records of processing activities that data controllers are required to maintain.

ANSWER: C
Even though option A is very close, DPA’s have the authority to provide additional guidelines regarding DPIA’s
hence option C makes more sense.

QUESTION: 43

Which of the following is one of the supervisory authority’s investigative powers?

A. To notify the controller or the processor of an alleged infringement of the GDPR.

B. To require that controllers or processors adopt approved data protection certification mechanisms.
C. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation
decision made against them.
D. To require data controllers to provide them with written notification of all new processing activities

ANSWER: A
1. Explanation: According to article 58(1)(d) of GDPR- states that, to notify the controller or the processor of
an alleged infringement of this Regulation.

QUESTION 44:

Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

A. A company wants to combine location data with other data in order to offer more personalized service for the
customer.
B. A company wants to use location data to infer information on a person’s clothes purchasing habits.
C. A company wants to build a dating app that creates candidate profiles based on location data and data from third-
party sources.
D. A company wants to use location data to track delivery trucks in order to make the routes more efficient.

ANSWER: C
1. Explanation: According to GDPR Article 35- Where a type of processing in particular using new
technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to
result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing,
carry out an assessment of the impact of the envisaged processing operations on the protection of personal
data.
QUESTION: 45

Select the answer below that accurately completes the following:

“The right to compensation and liability under the GDPR…
A. …. provides for an exemption from liability if the data controller (or data processor) proves that it is not in any
way responsible for the event giving rise to the damage.”
B precludes any subsequent recourse proceedings against other controllers or processors involved in the
same processing.”
C can only be exercised against the data controller, even if a data processor was involved in the same
processing.”
D is limited to a maximum amount of EUR 20 million per event of damage or loss”

ANSWER: A

Explanation: According to Article 82(3)- A controller or processor shall be exempt from liability if it proves that
it is not in any way responsible for the event giving rise to the damage.

QUESTION: 46

If a multi-national company wanted to conduct background checks on all current and potential employees,
including those based in Europe, what key provision would the company have to follow?

A. Background checks on employees could be performed only under prior notice to all employees.
B. Background checks are only authorized with prior notice and express consent from all employees including those
based in Europe.
C. Background checks on European employees will stem from data protection and employment law, which can vary
between member states.
D. Background checks may not be allowed on European employees, but the company can create lists based on its
legitimate interests, identifying individuals who are ineligible for employment

ANSWER: C

Explanation: According to point 14.6.1 of the Official Textbook- Carrying out background checks will stem from
data protection and employment law, which can vary between member states.
QUESTION: 47

In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance
of using a “layered notice” to provide data subjects with what?

A. A privacy notice containing brief information whilst offering access to further detail.
B. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
C. An explanation of the security measures used when personal data is transferred to a third party.
D. An efficient means of providing written consent in member states where they are required to do so.

ANSWER: A

Explanation: According to point 8.4.2.1 of the Official Textbook- In a layered notice, the most important
information is provided in a short initial notice, and further, more detailed information is available should a data
subject wish to know more.

QUESTION: 48

SCENARIO
Please use the following to answer the next question:

Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction
with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands
of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following
plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention
to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences
a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from
the USB stick and inform his manager that the company’s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

A. The resulting obligation to notify data subjects would involve disproportionate effort.
B. The incident resulted from the actions of a third-party that were beyond their control.
C. The destruction of the stolen data makes any risk to the affected data subjects unlikely.
D. The sensitivity of the categories of data involved in the incident was not substantial enough.

ANSWER: C
EXPLANATION: As per Art 33(1) of the GDPR, if the breach the personal data breach is unlikely to result in a
risk to the rights and freedoms of natural persons then it need not be reported.

QUESTION: 49

SCENARIO
Please use the following to answer the next question:

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might
also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal
and requires customers in the European Union and elsewhere to provide additional personal information in order
to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions
and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for
Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to
give their consent by requiring them to check a box before accepting their information. As Project Big is an
important project, the company also hires a first year college student named Sam, who is studying computer
science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on
going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people
that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the
company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice
approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to
follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the
company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major
lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice
instructs the company’s IT department to make copies of the computer hard drives from the entire global sales
team, including the European Union, and send everything to her so that she can review everyone’s information.
Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money
that would otherwise be paid to its outside law firm.

As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and
will be required to do what?
A. Notify its Data Protection Authority about the data breach.
B. Analyze and evaluate the liability for customers in Ireland.
C. Analyze and evaluate all of its breach notification obligations.
D. Notify all of its customers that reside in the European Union.

ANSWER: A

Explanation: According to Article 33, a personal data breach has to be notified to the supervisory Authority and
according to Article 34, a personal breach has to be notified to the data subject.

QUESTION: 50

SCENARIO
Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for
the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland
(part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business
trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time,
Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional
purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing
page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread
mistreatment of members at various branches of the club in several EU member states. As a result, Javier no
longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter,
Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional
materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious
about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take
action against the company.

In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board
becomes involved and, pursuant to the consistency mechanism, issues a binding decision. Additionally, Javier
sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph
removed from the brochure and website.

Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on
the matter?

A. Submit a draft decision to other supervisory authorities for their opinion.

B. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
C. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
D. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a
decision.

ANSWER: A
EXPLANATION: As per Art 60(3) of the GDPR, lead authority shall submit its draft to other supervisory
authorities concerned for their opinion.

QUESTION: 51

What must a data controller do in order to make personal data pseudonymous?

A. Separately hold any information that would allow linking the data to the data subject.

B. Encrypt the data in order to prevent any unauthorized access or modification.

C. Remove all indirect data identifiers and dispose of them securely.
D. Use the data only in aggregated form for research purposes.

ANSWER: A

Explanation: According to Article 4(5) of the GDPR- pseudonymization is defined as a process in which
additional information is kept separately and is subject to technical and organizational measures to ensure that the
personal data are not attributed to an identified or identifiable natural person.

QUESTION: 52

SCENARIO
Please use the following to answer the next question:

Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that employs approximately
650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer,
who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy
legislation.

In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new
mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing
their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that Dynaroux needs to
carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b)
where the results of this assessment indicate a high risk in the absence of appropriate protection measures,
Dynaroux may have to undertake a prior consultation with the Irish Data Protection Commissioner before
implementing the app and loyalty scheme.

Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority
and having to disclose details of Dynaroux’s business plan and associated processing activities.

Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?

A. The company will be undertaking processing activities involving sensitive data categories such as financial and
children’s data
B. The company employs approximately 650 people and will therefore be carrying out extensive processing
activities.
C. The company plans to undertake profiling of its customers through analysis of their purchasing patterns.
D. The company intends to shift their business model to rely more heavily on online shopping

ANSWER: C

Explanation: According to Article 35(3)(a) - A data protection impact assessment shall be required particularly
in the case of a systematic and extensive evaluation of personal aspects relating to natural persons which are based
on automated processing, including profiling.

QUESTION: 53

The European Parliament jointly exercises legislative and budgetary functions with which of the following?

A. The European Commission.

B. The Article 29 Working Party.

C. The Council of the European Union.
D. The European Data Protection Board.

ANSWER: C

Explanation: As per point 2.2 of the Official Textbook- The European Parliament shall, jointly with the Council,
exercise legislative and budgetary functions.

QUESTION: 54

Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

A. The European Commission can adopt an adequacy decision for individual companies.
B. The European Commission can adopt, repeal or amend an existing adequacy decision.
C. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into
their national legislation

ANSWER: B
Explanation- As per point 12.4 of the Official Textbook- The European Commission must, on an ongoing basis,
monitor developments in third countries and international organizations that could affect the functioning of any
adequacy decisions adopted. Where available information reveals that a third country, a territory or one or more
specified sectors within a third country, or an international organization no longer ensures an adequate level of
protection, the Commission is entitled and required to repeal, amend or suspend the decision as appropriate.

QUESTION: 55
Which of the following was the first legally binding international instrument in the area of data protection?
A. Convention 108.
B. General Data Protection Regulation.
C. Universal Declaration of Human Rights.
D. EU Directive on Privacy and Electronic Communications.

ANSWER: A

Explanation: As per point 1.3.2 of the Official Textbook- Convention 108 which consolidates and reaffirms the
content of the 1973 and 1974 resolutions was the first legally binding international instrument in the area of data
protection.

QUESTION: 56

According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary
privacy information, if that subject’s personal data has been obtained from other sources?

A. As soon as possible after obtaining the personal data.

B. As soon as possible after the first communication with the data subject.
C. Within a reasonable period after obtaining the personal data, but no later than one month.
D. Within a reasonable period after obtaining the personal data, but no later than eight weeks.

ANSWER: C

Explanation: According to Article 14(3)(a), if the subject’s personal data has been obtained from other sources,
the controller shall provide the data subject with the necessary privacy information within a reasonable period
after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances
in which the personal data are processed.

QUESTION: 57

When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is
effectively providing a level of personal data protection that is in compliance with the European Union (EU)
level?

A. After a personal data breach.

B. Every three (3) years.
C. On an ongoing basis.
D. Every year.

ANSWER: C

Explanation:

QUESTION: 58

A Spanish electricity customer calls her local supplier with questions about the company’s upcoming merger.
Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the
merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer
with the requested information?

A. Verify that the request is applicable to the data collected before the GDPR entered into force.
B. Verify that the purpose of the request from the customer is in line with the GDPR.
C. Verify that the personal data has not already been sent to the customer.
D. Verify that the identity of the customer can be proven by other means.

ANSWER: C

Explanation: According to Article 13(4)- the controller has no obligation to provide the data subject with
information if the data subject already has the information.
QUESTION: 59

SCENARIO
Please use the following to answer the next question:

After the implementation of these measures, server performance decreased. The general manager instructed the
Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During
these activities, the Information Security team discovered that one employee from Italy was daily connecting to
a video library of movies, and another one from Germany worked remotely without authorization. The Security
Team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded
that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both
employees, since the security and privacy policy of the company prohibited employees from installing software
on the company’s computers, and from working remotely without authorization.

What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee
from Italy?

A. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure
authorized under Italian labor law
B. Since the employee was the cause of a serious risk for the server performance and their data, the company would
be entitled to apply disciplinary measures to this employee, including fair dismissal.
C. Since the employee was not informed that the security measures would be used for other purposes such as
monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
D. Since this was a serious infringement, but the employee was not appropriately informed about the consequences
of the new security measures, the company would be entitled to apply some disciplinary measures, but not
dismissal.

ANSWER: C
EXPLANATION: 14.6.3 of the Official Textbook provides that before employer undertakes monitoring activity
employer has to clearly inform the employee that monitoring activity will be carried out.

QUESTION: 60

According to the GDPR, when should the processing of photographs be considered processing of special
categories of personal data?

A. When processed with the intent to publish information regarding a natural person on publicly accessible media.
B. When processed with the intent to proceed to scientific or historical research projects.
C. When processed with the intent to uniquely identify or authenticate a natural person.
D. When processed with the intent to comply with a law.

ANSWER: C

Explanation: According to Recital 51- Photographs of individuals should be considered to be processing sensitive
data when processed to allow the unique identification or authentication of an individual.

QUESTION: 61

In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and
data protection rules?

A. When creating an untargeted pop-up ad on a website.

B. When calling a potential customer to notify her of an upcoming product sale.
C. When emailing a customer to announce that his recent order should arrive earlier than expected.
D. When paying a search engine company to give prominence to certain products and services within specific search
results.

ANSWER: B

Explanation: Option B targets the customer specifically while other options are untargeted.

QUESTION: 62

A mobile device application that uses cookies will be subject to the consent requirement of which of the
following?
A. The ePrivacy Directive
B. The E-Commerce Directive
C. The Data Retention Directive
D. The EU Cybersecurity Directive

ANSWER:A

EXPLANATION: ePrivacy Directive is a set of rules for data protection and privacy in the European Union (EU).
It regulates cookie usage, email marketing, data minimization, and other aspects of data privacy.

QUESTION: 63

SCENARIO
Please use the following to answer the next question:

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany
continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible
for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a
renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research,
Right Target determined that T-Craze is most successful with customers between the ages of 18 and
22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40%
new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T-Craze, though with
much less success.

What is the best option for the lead regulator when responding to the Spanish supervisory authority’s notice that
it plans to take action regarding Sofia’s complaint?

A. Accept, because it did not receive any complaints.

B. Accept, because GDPR permits non-lead authorities to take action for such complaints.
C. Reject, because Right Target’s processing was conducted throughout Europe.
D. Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.

ANSWER: B
EXPLANATION: As per Art 56(2) of the GDPR each supervising authority is competent to handle a complaint
lodged with it.

QUESTION: 64

A multinational company is appointing a mandatory data protection officer. In addition to considering the rules
set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure
compliance in all EU jurisdictions in which it operates?

A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries
it operates
C. Assess whether the company has more than 250 employees in each of the EU member-states in which it is
established.
D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether
they comply with the principles of privacy by design and by default

ANSWER: A

QUESTION: 65

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

A. The right to request access to the personal data a controller holds about them.
B. The right to request the deletion of data a controller holds about them.
C. The right to opt-out of the sale of their personal data to third parties.
D. The right to request restriction of processing of personal data, under certain scenarios.

ANSWER: B

QUESTION: 66

The Planet 49 CJEU Judgment applies to?

A. Cookies used only by third parties.

B. Cookies that are deemed technically necessary.
C. Cookies regardless of whether the data accessed is personal or not.
D. Cookies where the data accessed is considered as personal data only.

ANSWER: C

Explanation: Please refer to the below mentioned link.

https://www.twobirds.com/insights/2019/global/planet49-cjeu-rules-on-cookie-consent

QUESTION: 67
SCENARIO
Please use the following to answer the next question:

HighPark Hotel Chain and Epic Vacations Travel Agency are U.S.-based multinational companies. They use an
internet-based common platform for collecting and sharing their customer data with each other, in order to
integrate their marketing efforts.
Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has
access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through Epic Vacations Travel Agency to stay at
HighPark Hotel Chain’s locations. Epic Vacations Travel Agency offers a rewards program that allows customers
to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a
rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting
access to his data, in order to exercise what he believes are his data subject rights.

What is the time period in which Mike should receive a response to his request?

A. Not more than one month of receipt of Mike’s request.

B. Not more than two months after verifying Mike’s identity.
C. When all the information about Mike has been collected.
D. Not more than thirty days after submission of Mike’s request.

ANSWER: A

Explanation: According to Recital 59- The controller should be obliged to respond to requests from the data
subject without undue delay and at the latest within one month.

QUESTION: 68

If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR
compliance, should it first do all of the following EXCEPT?
A. Notify the appropriate data protection authority.
B. Perform a data protection impact assessment (DPIA).

C. Create an information retention policy for those who operate the system.
D. Ensure that safeguards are in place to prevent unauthorized access to the footage.

ANSWER: A
EXPLANATION: 15.5 of the Official Textbook provides for all the compliances except for option (a).

QUESTION: 69

A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General
Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

A. The lawful processing criteria stipulated by Articles 6 to 9

B. The information requirements set out in Articles 13 and 14
C. The breach notification requirements specified in Articles 33 and 34
D. The rights granted to data subjects under Article 12 and 22

ANSWER: D

Explanation: The individual Participation Principle under the OECD similar to Data Subject Rights under the
GDPR gives rights to the individual to obtain from a data controller data relating to him, to challenge data relating
to him and if the challenge is successful to have the data erased, rectified, completed or amended.

QUESTION: 70

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What
is the reason for this?

A. The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.
B. Adequacy determinations automatically lapse when a Member State leaves the EU.
C. The UK us now a third country because it’s no longer subject to GDPR
D. The UK is less trustworthy now that it's not part of the Union.
ANSWER: C

Explanation: According to point 1.9.2 of the Official Textbook- Once the UK leaves the EU, the UK will become
a ‘third country’ for the purposes of European data protection law, which means that EU member states must
comply with Chapter V of the GDPR in relation to any transfers from the EU to the UK.

QUESTION: 71

SCENARIO
Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on
its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that
describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her
previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron
is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft,
trying to cover as much as possible before sending it to Vigotron’s legal department.

Registration Form Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related
activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with
other third-party apps you may already have) to collect data about all of these important lifestyle elements, and
provide the information necessary for you to enrich your quality of life. (Please click here to read a full description
of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which
apps can access your data. When your device is locked with a passcode, all of your health and fitness data is
encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider,
Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we
will not provide a customer’s name, email address or any other information gathered from the app to any third-
party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the
manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first
complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older,
unless parental consent has been given to minors intending to use it.)
● First Name
● Surname
● Year of Birth
● Email
● Physical Address (optional)
● Health Status
*If you are interested in receiving newsletters about our products and services that we think may be of interest to
you, please include your physical address. If you decide later that you do not wish to receive these newsletters,
you can unsubscribe by sending an email to [email protected] or send a letter with your request to the
address listed at the bottom of this page. Terms and Conditions
1. Jurisdiction. […]
2. Applicable law. […]
3. Limitation of liability. […]
4. Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the
processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled
to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any
required notices, agreements, or other information concerning the services by email or other electronic means.
You also agree that the Company may send automated emails with alerts regarding any problems with the M-
Health app that may affect your well-being.
What is one potential problem Vigotron’s age policy might encounter under the GDPR?

A. Age restrictions are more stringent when health data is involved.

B. Users are only required to be aged 13 or over to be considered adults.
C. Organizations must make reasonable efforts to verify parental consent.
D. Organizations that tie a service to marketing must seek consent for each purpose.

ANSWER: C

Explanation: According to Article 8(2)- Controller shall make reasonable efforts to verify that consent is given or
authorized by the holder of parental responsibility over the child.

QUESTION: 72

Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-
EU country?

A. The European Parliament

B. The European Commission
C. The Article 29 Working Party
D. The European Council

ANSWER: B

Explanation: According to point 2.5.3 of the Official Textbook- The European Commission has the power to
adopt ‘adequacy findings’ by which non- EU member states are regarded as providing an adequate level of data
protection in accordance with EU standards.

QUESTION: 73

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of
ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT
be effective for communicating a breach to data subjects?

A. A postal notification
B. A direct electronic message
C. A notice on a corporate blog
D. A prominent advertisement in print media

ANSWER: C

Explanation: According to Article 34 of WP29’s “Guidelines on Personal data breach notification under
Regulation 2016/679’’- Examples of transparent communication methods include direct messaging (e.g. email,
SMS, direct message), prominent website banners or notification, postal communications and prominent
advertisements in print media.
QUESTION: 74

SCENARIO
Please use the following to answer the next question:

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on
cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it
appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not
provide technical details on how this works, nor does it mention that this feature requires an internet connection.
The necessary data processing for this has been outsourced to a data center located in South Africa. However,
your company has not yet revised its consumer- facing privacy policy to indicate this.

In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice
should the company institute?

A. Encrypt the data in transit over the wireless Bluetooth connection.

B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
C. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
D. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since
South Africa is outside the European Union.

ANSWER: D

Explanation: According to Article 32- The controller and the processor shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk. It does not talk about Contractual
obligations.

QUESTION: 75

Which EU institution is vested with the competence to propose new data protection legislation on its own
initiative?

A. The European Council

B. The European Parliament

C. The European Commission

D. The Council of the European Union

ANSWER: C

Explanation: According to point 2.5 of the Official Textbook- the European Commission has an important
responsibility and power to initiate legislation.

QUESTION: 76

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?
A. The local Data Protection Supervisory Authorities.
B. The European Data Protection Board.
C. The EU Commission.
D. The Member States.

ANSWER: D

Explanation- According to Article 84- Member States shall lay down the rules applicable to infringements.
Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in
particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all
measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and
dissuasive.

QUESTION: 77

SCENARIO
Please use the following to answer the next question:

Registration Form

Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including
diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps
you may already have) to collect data about all of these important lifestyle elements, and provide the information
necessary for you to enrich your quality of life. (Please click here to read a full description of the services that
M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which
apps can access your data. When your device is locked with a passcode, all of your health and fitness data is
encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider,
Stratculous. (Read more about Stratculous here.)

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first
complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older,
unless parental consent has been given to minors intending to use it.
● First Name
● Surname
● Year of Birth
● Email
● Physical Address (optional)
● Health Status

*If you are interested in receiving newsletters about our products and services that we think may be of interest to
you, please include your physical address. If you decide later that you do not wish to receive these newsletters,
you can unsubscribe by sending an email to [email protected] or send a letter with your request to the
address listed at the bottom of this page. Terms and Conditions
1. Jurisdiction. […]
2. Applicable law. […]
3. Limitation of liability. […]
4. Consent

Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest
problem with Emily’s consent provision?

A. It is not legal to include fields requiring information regarding health status without consent.
B. Processing health data requires explicit consent, but the form does not ask for explicit consent.
C. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
D. The provision of the fitness app should be made conditional on the consent to the data processing for direct
marketing.

ANSWER: B
EXPLANATION: As per Art 9(2)(a) of the GDPR, explicit consent has to be taken before processing sensitive
personal data and health data being sensitive personal data, explicit consent has to be taken before processing the
data.

QUESTION: 78

Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

A. The service’s infrastructure is shared among the supplier’s customers and can be located in a number of countries.
B. The supplier determines the location, security measures, and service standards applicable to the processing.
C. The supplier allows customer data to be transferred around the infrastructure according to capacity.
D. The supplier assumes the vendor’s business risk associated with data processed by the supplier.

ANSWER: D

Explanation: According to point 17.2 of the Official Textbook- Option D is not a characteristic of cloud-
computing services.

QUESTION: 79
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as
information contained in notebooks or hard copy files?

A. Only where the personal data is produced as a physical output of specific automated processing activities, such
as printing, labelling, or stamping.

B. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or
optical character recognition
C. Only where the personal data is treated by automated means in some way, such as computerized distribution or
filing.
D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

ANSWER: D

Explanation: According to Article 2(1)- GDPR applies to the processing of personal data other than by automated
means when it forms part of a filing system or is intended to form part of a filing system.

QUESTION: 80

SCENARIO
Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years.
Brady’s business provides a low-cost suite of services to customers throughout the European

Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s
company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and
consulting services that help people manage their own online stores.

Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when
another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on
Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not
worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within
Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady
did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through
online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles.
Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain
useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling
of customer personal data?

A. The data is sensitive.

B. The data is uncategorized.
C. The data is being used for a new purpose.
D. The data is being processed via a new means.

ANSWER: C

Explanation: According to point 6.3 of the Official Textbook- To process the data for a new purpose, separate
consent of the data subject has to be taken.

QUESTION: 81
Why is it advisable to avoid consent as a legal basis for an employer to process employee data?

A. Employee data can only be processed if there is an approval from the data protection officer.
B. Consent may not be valid if the employee feels compelled to provide it.
C. An employer might have difficulty obtaining consent from every employee.
D. Data protection laws do not apply to processing of employee data.

ANSWER: B

Explanation: According to point 14.2.1 of the Official textbook- True consent, as required under the GDPR to be
valid should be freely given, specific, informed and unambiguous indication of the employee’s wishes signifying
agreement which is difficult due to the power dynamics involved in an employer-employee relationship.

QUESTION: 82

Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert
investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary
and what?

A. Prudent.
B. Important.
C. Proportionate.
D. DPA-approved.

ANSWER: C

Explanation: Please refer to the below mentioned link.

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0680

QUESTION: 83

Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article
3?
A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
D. Personal data of EU residents being processed by a non-EU business that targets EU customers.

ANSWER: D

Explanation: According to Article 3(2)- GDPR applies to the processing of personal data of data subjects who are
in the Union by a controller or processor not established in the Union, where the processing activities relates to
the offering of goods or services to such data subjects in the Union or monitoring of their behaviour as far as their
behaviour takes place within the Union.

QUESTION: 84

What was the aim of the European Data Protection Directive 95/46/EC?

A. To harmonize the implementation of the European Convention of Human Rights across all member states.
B. To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.
C. To completely prevent the transfer of personal data out of the European Union.
D. To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one
member state to another

ANSWER: D
EXPLANATION: 1.4.1 of the Official Textbook, the aim of the Directive was to further reconcile protecting
individuals’ fundamental privacy rights with the free flow of data from one member state to another.

QUESTION: 85

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?

A. It cannot be attributed to a data subject without the use of additional information.

B. It cannot be attributed to a person under any circumstances.
C. It can only be attributed to a person by the controller.
D. It can only be attributed to a person by a third party.

ANSWER: A

Explanation: According to Article 4(5)- ‘pseudonymisation’ means the processing of personal data in such a
manner that the personal data can no longer be attributed to a specific data subject without the use of additional
information, provided that such additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural
person.

QUESTION: 86

A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an
article about the prank at the time, and the article is still available on the newspaper’s website. Unfortunately, the
prank is the top search result when a user searches on the victim’s name. The data subject requests that SearchCo
delist this result.

SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must
SearchCo do?

A. Notify the newspaper that its article is delisting the article.

B. Fully erase the URL to the content, as opposed to delist which is mainly based on the data subject’s name.
C. Identify other controllers who are processing the same information and inform them of the delisting request.
D. Prevent the article from being listed in search results no matter what search terms are entered into the search
engine.

ANSWER: D

QUESTION: 87

SCENARIO
Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years.
Brady’s business provides a low-cost suite of services to customers throughout the European
Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s
company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and
consulting services that help people manage their own online stores.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third-party
contractor called Hermes Designs and worries that sensitive information regarding his business plans may be
misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his
customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a
requested service. Felipe says he read the privacy notice but that it was long and complicated. Brady continues to
insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In
fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers
like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs
webpage.
Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used
within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last
name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that
he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the
quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising
(OBA) is most likely to be insufficient if the company becomes established in Europe?
A. The lack of the option to opt in.

B. The level of security within the website.

C. The contract with the third-party advertising network.
D. The need to have the contents of the advertising approval

ANSWER: A

Explanation: According to Recital 32- Silence, pre-ticked boxes or inactivity should not constitute consent. Also,
according to point 7.2.1 of the Official Textbook, Consent requires an express indication of wishes, whereas opt-
out works on the basis that a lack of action by the data subject indicates a lack of objection.

QUESTION: 88

SCENARIO
Please use the following to answer the next question:

● Student records, including names, student numbers, home addresses, pre-university information, university
attendance and performance records, details of special educational needs and financial information.
● Staff records, including autobiographical materials (such as curricula, professional contact files, student
evaluations and other relevant teaching files).
● Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These
records are available to former students after registering through Granchester’s Alumni portal.
● Department for Education records, showing how certain demographic groups (such as first-generation students)
could be expected, on average, to progress.
● These records do not contain names or identification numbers.Under their security policy, the University encrypts
all of its personal data records in transit and at rest.

He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student
numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm
on each occasion so that he can update each record over time.One of Anna’s tasks is to complete the record of
processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR.
After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of
existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out
before the data processing can take place. Anna arranges to discuss this further with Frank after she has done
some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is
not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has
to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he
decides to tell Anna about his lost laptop at the same time.

Which of the University’s records does Anna NOT have to include in her record of processing activities?

A. Student records
B. Staff and alumni records
C. Frank’s performance database
D. Department for Education records

ANSWER: A

Explanation: As per Article 30- Records of processing activities must include significant information about data
processing, including data categories, the group of data subjects, the purpose of the processing and the data
recipients.

QUESTION: 89

When may browser settings be relied upon for the lawful application of cookies?
A. When a user rejects cookies that are strictly necessary.
B. When users are aware of the ability to adjust their settings.

C. When users are provided with information about which cookies have been set.
D. When it is impossible to bypass the choices made by users in their browser settings

ANSWER: D

QUESTION: 90

SCENARIO
Please use the following to answer the next question:

Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

A. She was not told which controller would be processing her personal data.
B. She only viewed the visual representations of the privacy notice Liem provided.
C. She did not read the privacy notice stating that her personal data would be shared.
D. She has never made any purchases from JaphSoft and has no relationship with the company

ANSWER: A
Explanation: Under Article 7 of GDPR, consent of data subjects is essential and must precede certain conditions
for processing activities undertaken by an entity. The details of such entity and the purpose behind such processing
must be informed to the data subject prior to such processing.

QUESTION: 91

If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how
long does the data subject have to wait before taking action in the courts?

A. 1 month.
B. 3 months.
C. 5 months.
D. 12 months.

ANSWER: B
Explanation: A data subject can initiate legal action after 3 months where there has been no information about
their complaint progress or outcome. According to Article 78(2) of the GDPR, each data subject shall have the
right to an effective judicial remedy where the supervisory authority does not handle a complaint or does not
inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to
Article 77 of the GDPR.

QUESTION: 92

Which of the following would NOT be relevant when determining if a processing activity would be considered
profiling?

A. If the processing is to be performed by a third-party vendor

B. If the processing involves data that is considered personal data
C. If the processing of the data is done through automated means
D. If the processing is used to predict the behavior of data subjects

ANSWER: A

QUESTION: 93

SCENARIO
Please use the following to answer the next question:

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is
exploring a number of plans to expand its customer base.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA
reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name,
birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?

A. Its plan would be in the context of the establishment of a controller in the Union.
B. It would be offering goods or services to data subjects in the Union.
C. It is engaging in commercial activities conducted in the Union.
D. It is monitoring the behavior of data subjects in the Union.

ANSWER: D

Explanation: Article 3(3) of the GDPR specifies that the law applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not established in the Union, where the processing
activities are related to the monitoring of their behavior as far as their behavior takes place within the Union.
Since Who-R-U monitors behavior of data subjects in the Union, it will come under the territorial scope of the
GDPR.

QUESTION: 94
SCENARIO
Please use the following to answer the next question:

“WonderkKids provides the information you disclose to us through this website to your childcare provider for
scheduling and health and safety reasons. We may also use your and your child’s personal information for our
own legitimate business purposes and we employ a third-party website hosting company located in Switzerland
to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions
for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and
your child’s personal information with businesses that we see as adding real value to you. By providing us with
any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”

“We are processing you and your child’s personal information with your consent. If you choose not to provide
certain information to us, you may not be able to use our services. You have the right to: request access to you
and your child’s personal information; rectify or erase you or your child’s personal information; the right to
correction or erasure of you and/or your child’s personal information; object to any processing of you and your
child’s personal information. You also have the right to complain to the supervisory authority about our data
processing activities.”

What direct marketing information can WonderKids send by email without prior consent of the person booking
the childcare?

A. No marketing information at all.

B. Any marketing information at all.
C. Marketing information related to other business operations of WonderKids.
D. Marketing information for products or services similar to those purchased from WonderKids.

ANSWER: D
Explanation:
• Under certain conditions, you are allowed to process contact details for direct marketing purposes when
you did not obtain consent, however, only in cases where the exemption to the ‘opt-in consent rule’ –
referred to as the ‘soft opt-in’ – is applicable. The exemption exists when three conditions are met.
• The General Data Protection Regulation (GDPR) only permits processing with the data subject's consent
or another legal basis. This could include protecting the controller's legitimate interest in sending email
marketing. The General Data Protection Regulation expressly applies to the processing of personal data for
direct marketing as a legitimate purpose of the controller, as stated in Recital 47.

QUESTION: 95

Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate
purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b), what
is the impact of a member state’s interpretation of the word “incompatible”?

A. It dictates the level of security a processor must follow when using and storing personal data for two different
purposes.
B. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of
personal data.
C. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting
personal data.
D. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original
intended purpose.

ANSWER: D
Explanation: Under Article 5(1)(b), “incompatible” can be construed to give controllers some degree of flexibility
as they may show that their purpose in the two different processing activities have been compatible by showing
similar grounds. Additionally, this can also be interpreted to lay down a standard for controllers to follow for
strict adherence to necessary purposes, furthering the purpose limitation principle.

QUESTION: 96
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data
processing?

A. Personal data revealing ethnic origin.

B. Personal data revealing genetic information.
C. Personal data revealing financial information.
D. Personal data revealing trade union membership.

ANSWER: C
Explanation: Article 9 of the GDPR lays down ethnic origin, genetic information and trade union membership,
inter alia, as categories of data which are barred from processing. It does not mention financial information as a
special category of personal data within its definition.

QUESTION: 97

An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to
article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z
should do which of the following?

A. Notify affected individuals that their data was unavailable for a period of time.
B. Document the loss of availability to demonstrate accountability
C. Notify the supervisory authority about the loss of availability
D. Conduct a thorough audit of all security systems
ANSWER: C
Explanation: As with a permanent loss or destruction of personal data (or indeed any other type of breach), a
breach involving the temporary loss of availability should be documented in accordance with Article 33(5)
GDPR. This assists the controller in demonstrating accountability to the supervisory authority, which
may ask to see those records19. However, depending on the circumstances of the breach, it may or
may not require notification to the supervisory authority and communication to affected individuals.
The controller will need to assess the likelihood and severity of the impact on the rights and freedoms
of natural persons as a result of the lack of availability of personal data. In accordance with Article 33
GDPR, the controller will need to notify unless the breach is unlikely to result in a risk to individuals’
rights and freedoms. Of course, this will need to be assessed on a case-by-case basis.

QUESTION: 98
Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU
law?
A. Court of Auditors
B. Court of Justice of European Union
C. European Court of Human Rights
D. European Data Protection Board

ANSWER: B
Explanation: Court of Justice of the European Union ((CJEU)), also called European Court of Justice (ECJ), is
the judicial branch of the European Union (EU). Its basic mission is to ensure the observance and uniform
application and interpretation of EU law within EU member states and institutions.

QUESTION: 99

How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

A. App developers will expand the amount of data necessary to collect for an app’s functionality.
B. Users will be given granular types of consent for particular types of processing.
C. App developers’ responsibilities as data controllers will increase.
D. Users will see fewer advertisements when using apps.

ANSWER: B
Explanation: The current GDPR position on consent is strict and varies for different types of processing activities.
This leads to increased variety of consent requirements for specific categories in obtaining consent – leading to
granular types of consent available to data subjects. With different criteria to obtain consent, data subjects have
even more rights and companies using consent have more duties and mechanisms to deal with them in place.

QUESTION: 100

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an
infringement of Articles 37 to 39 of the GDPR?

A. If the data protection officer lacks ISO 27001 auditor certification.

B. If the data protection officer is provided by the data processor.

C. If the data protection officer also manages the marketing budget.

D. If the data protection officer receives instructions from the data controller.

ANSWER: A
Explanation: Through Article 38(6), it can be inferred that the data protection officer may fulfil other tasks and
duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Lack of certification will not infringe Articles 37 to 39

QUESTION: 101

SCENARIO
Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years.
Brady’s business provides a low-cost suite of services to customers throughout the European

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans
for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake
two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error
through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe,
was alarmed to discover that his personal information was transferred to a third-party contractor called Hermes
Designs and worries that sensitive information regarding his business plans may be misused. Brady does not
believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating
that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he
read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of
Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner
advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted
on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used
within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last
name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that
he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the
quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds
to object to the use of his quotation?

A. Because of the misrepresentation of personal data as an endorsement.

B. Because of the juxtaposition of the quotation with others’ quotations.
C. Because of the use of personal data outside of the social networking service (SNS).
D. Because of the misapplication of the household exception in relation to a social networking service (SNS).

ANSWER: C

QUESTION: 102

In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data
protection impact assessment to address multiple processing operations be allowed?

A. A medical organization that wants to begin genetic testing to support earlier research for which they have
performed a DPIA.
B. A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s
provider.
C. A marketing team that wants to collect mailing addresses of customers for whom they already have email
addresses.
D. A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.

ANSWER: D
Explanation: Article 35 of GDPR stipulates the grounds for such. A single assessment may address a set of similar
processing operations that present similar high risks. The controller shall seek the advice of the data protection
officer, where designated, when carrying out a data protection impact assessment.

QUESTION: 103

In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory
authority?

A. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
B. Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to
reduce.
C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
D. Where the DPIA identifies risks that will require insurance for protecting its business interests.

ANSWER: D

QUESTION: 104

SCENARIO
Please use the following to answer the next question:

The company offers both male and female clothing lines across all age demographics, including children. In doing
so, the company processes large amounts of information about such customers, including preferences and
sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new
mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing
their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to
carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b)
where the results of this assessment indicate a high risk in the absence of appropriate protection measures.
Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before
implementing the app and loyalty scheme.

What must Zandelay provide to the supervisory authority during the prior consultation?

A. An evaluation of the complexity of the intended processing.

B. An explanation of the purposes and means of the intended processing.
C. Records showing that customers have explicitly consented to the intended profiling activities.
D. Certificates that prove Martin’s professional qualities and expert knowledge of data protection law.

ANSWER: B
Explanation: Zandelay must conform to Article 36(3)(b) of GDPR and provide a detailed explanation of purposes
and means utilized for processing of personal data. When consulting the supervisory authority pursuant to
paragraph 1, the controller shall provide the supervisory authority with the respective responsibilities of the
controller, joint controllers and processors involved in the processing, in particular for processing within a group
of undertakings;the purposes and means of the intended processing.

QUESTION: 105

Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

A. Providing a multi-layered privacy notice, in a website environment.

B. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
C. Providing a hyperlink to the organization’s home page, in a hard copy application form.
D. Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field.
ANSWER: C

QUESTION: 106

Under which of the following conditions does the General Data Protection Regulation NOT apply to the
processing of personal data?

A. When the personal data is processed only in non-electronic form

B. When the personal data is collected and then pseudonymised by the controller
C. When the personal data is held by the controller but not processed for further purposes
D. When the personal data is processed by an individual only for their household activities

ANSWER: D

QUESTION: 107

Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic
Communications Regulations (Directive 2002/58/EC)?

A. Advertisements passively displayed on a website.

B. The use of cookies to collect data about an individual.
C. A text message to individuals from a company offering concert tickets for sale.
D. An email from a retail outlet promoting a sale to one of their previous customer.

ANSWER: A
Explanation: Directed marketing allows for companies to showcase advertisements passively on their websites.
This is because it does not explicitly interfere with a user’s experience and does not invade their privacy by
demanding any additional information about them.

QUESTION: 108

SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls,
action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the
manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has
entered into a number of local distribution contracts. The toys produced by the company can be found in all
popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is
due to international sales.

Why is this company obligated to comply with the GDPR?

A. The company has offices in the EU.

B. The company employs staff in the EU.
C. The company’s data center is located in a country outside the EU.
D. The company’s products are marketed directly to EU customers.

ANSWER: D
Explanation: Any company which provides its services directly to EU customers will be covered under the ambit
of GDPR compliance as it extends its territorial scope to such audience, and processed information regarding
them in according to the purposes stated by them .

QUESTION: 109

Which of the following is NOT a role of works councils?

A. Determining the monetary fines to be levied against employers for data breach violations of employee data.
B. Determining whether to approve or reject certain decisions of the employer that affect employees.
C. Determining whether employees’ personal data can be processed or not.
D. Determining what changes will affect employee working conditions.

ANSWER: A

QUESTION: 110

Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the
following is NOT one of these exceptions?

A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
B. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving
consent.
C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a
judicial capacity.
D. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State
law to lift the prohibition.

ANSWER: A
Explanation: Article 9(2) of GDPR states that exceptions to prohibition against processing of biometric data shall
apply under some instances. These are: when the data subject has given explicit consent to the processing of those
personal data for one or more specified purposes, ; processing is necessary for the purposes of carrying out the
obligations and exercising specific rights of the controller or of the data subject in the field of employment and
social security and social protection law in so far as it is authorised by Union or Member State law or a collective
agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the
interests of the data subject; processing is necessary to protect the vital interests of the data subject or of another
natural person where the data subject is physically or legally incapable of giving consent;

QUESTION: 111

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined
that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to
monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and
offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the
most realistic step the company could take to address their security concerns and comply with the personal data
processing principles set out in Article 5 of the GDPR?

A. Seek informed consent from company employees.

B. Have cameras recording during work hours only.
C. Retain captured footage for no more than 30 days.
D. Restrict camera placement to building entrances only.

ANSWER: D

QUESTION: 112

Which of the following does NOT have to be included in the records most processors must maintain in relation
to their data processing activities?

A. Name and contact details of each controller on behalf of which the processor is acting.
B. Categories of processing carried out on behalf of each controller for which the processor is acting.
C. Details of transfers of personal data to a third country carried out on behalf of each controller for which the
processor is acting.
D. Details of any data protection impact assessment conducted in relation to any processing activities carried out by
the processor on behalf of each controller for which the processor is acting.
ANSWER: D

QUESTION: 113

What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive
95/46/EC) all had in common but largely failed to achieve in Europe?

A. The establishment of a list of legitimate data processing criteria

B. The creation of legally binding data protection principles
C. The synchronization of approaches to data protection
D. The restriction of cross-border data flow

ANSWER: C
Explanation: With such vast number of legislations on different aspects of privacy and data protection in the EU,
a standard synchronization of these laws is essential to ensure that they follow similar rights and obligations
necessitated for adequate protection of EU citizens.

QUESTION: 114

SCENARIO
Please use the following to answer the next question:

Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy
and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U
maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence.
Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered
into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U
content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information
regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.

Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and
entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new
fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to
participate in Market4U’s forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add
to Market4U’s forms?

A. Make all the fields optional.

B. Only request the information in brackets (i.e., age group and salary range).
C. Eliminate the fields, as they are not proportional to the services being offered.
D. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.

ANSWER: C
Explanation:

QUESTION: 115

SCENARIO
Please use the following to answer the next question:

“We are processing you and your child’s personal information with your consent. If you choose not to provide
certain information to us, you may not be able to use our services. You have the right to: request access to you
and your child’s personal information; rectify or erase you or your child’s personal information; the right to
correction or erasure of you and/or your child’s personal information; object to any processing of you and your
child’s personal information. You also have the right to complain to the supervisory authority about our data
processing activities.”

What additional information must Wonderkids provide in their Privacy Statement?

A. How often promotional emails will be sent.

B. Contact information of the hosting company.
C. Technical and organizational measures to protect data.
D. The categories of recipients with whom data will be shared.

ANSWER: D
Explanation: It is imperative to reveal the categories of third-parties with whom data will be shared. Wonderkids
must provide the same in their Privacy Statement to ensure compliance with Article 44, any transfer of personal
data which are undergoing processing or are intended for processing after transfer to a third country or to an
international organization shall take place only if, subject to the other provisions of this Regulation, the conditions
laid down in this Chapter are complied with by the controller and processor, including for onward transfers of
personal data from the third country or an international organization to another third country or to another
international organization.

QUESTION: 116

Which area of privacy is a lead supervisory authority’s (LSA) MAIN concern?

A. Data subject rights

B. Data access disputes
C. Cross-border processing
D. Special categories of data
ANSWER: C
Explanation: Article 56(1) of GDPR specifies that the supervisory authority of the main establishment or of the
single establishment of the controller or processor shall be competent to act as lead supervisory authority for the
cross-border processing carried out by that controller or processor in accordance with the procedure provided in
Article 60.

QUESTION: 117

When assessing the level of risk created by a data breach, which of the following would NOT have to be taken
into consideration?

A. The ease of identification of individuals.

B. The size of any data processor involved.
C. The special characteristics of the data controller.
D. The nature, sensitivity and volume of personal data.

ANSWER: B
Explanation: Size of an entity (data processor) is not taken into consideration to assess the level of risks associated
with a data breach. Other factors such as identification of individuals, characteristics of data controller and nature,
sensntivity and volume of personal data must be considered pursuant to

QUESTION: 118

If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data
processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing
of the personal data so long as?

A. The individuals are European citizens or residents.

B. The data processing activities are in Spain.

C. The data controller is in France.
D. The EU individuals are targeted.

ANSWER: C
Explanation: Under Article 3 of GDPR, the law shall extend to the processing of personal data in the context of
the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing
takes place in the Union or not.T

QUESTION: 119

Which of the following is an example of direct marketing that would be subject to European data protection laws?

A. An updated privacy notice sent to an individual’s personal email address.

B. A charity fundraising event notice sent to an individual at her business address.
C. A service outage notification provided to an individual by recorded telephone message.
D. A revision of contract terms conveyed to an individual by SMS from a marketing organization.

ANSWER: B
Explanation: Since this act involves direct contact with the individual at their business address, which constitites
personal data, it will be subject to GDPR as details of information containing in the notice and its transmission,
use and portability must be protected by outside attack.

QUESTION: 120

As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process
personal data for the purpose of fraud prevention?

A. Protection of the interests of the data subjects.

B. Performance of a contact
C. Legitimate interest
D. Consent

ANSWER: C
Explanation: According to recital 47 of GDPR, the processing of personal data strictly necessary for the purposes
of preventing fraud also constitutes a legitimate interest of the data controller concerned.

QUESTION: 121
An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it
best address the concern that explaining them all would make the policies incomprehensible?

A. Use a layered privacy notice on its website and in its email communications.
B. Identify uses of data in a privacy notice mailed to the data subject.
C. Provide only general information about its processing activities and offer a toll-free number for more information.
D. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the
site.

ANSWER: A

QUESTION: 122

The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the
following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in
the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where
it is used as the basis for processing
B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and
default.
C. Failure to process personal information in a manner compatible with its original purpose.
D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.

ANSWER: B
Explanation: Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to
2% of its entire global turnover of the preceding fiscal year, whichever is higher. Since consent and purpose
limitation are regarded as crucial basis for which severe fines are imposed, where an organisation fails to
implement technical measures, fines will be fairly lesser than the strict penalties otherwise imposed.

QUESTION: 123

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?
A. Both govern international transfers of personal data
B. Both govern the manual processing of personal data
C. Both only apply to European Union countries
D. Both require notification of processing activities to a supervisory authority

ANSWER: D
Explanation: Both contains provisions which require issue of notification of processing activities to a supervisory
authority. In case of GDPR, Article 30(4) stipulates that the controller shall make the record available to the
supervisory authority on request. In the Council of Europe Convention 108, Article 27 governs the same.

QUESTION: 124

A U.S. company’s website sells widgets. Which of the following factors would NOT in itself subject the company
to the GDPR?

A. The widgets are offered in the EU and priced in euro.

B. The website is in English and French, and is accessible in France.

C. An affiliate office is located in France but the processing is in the U.S.

D. The website places cookies to monitor the EU website user behavior.

ANSWER: C
Explanation: A U.S. entity can attract European customers by translating its services/goods/website into EU
languages, having EU top-level domain, delivering its goods to Europe, mentioning European customers and use
cases.

QUESTION: 125

A grade school is planning to use facial recognition to track student attendance. Which of the following may
provide a lawful basis for this processing?

A. The school places a notice near each camera.

B. The school gets explicit consent from the students.
C. Processing is necessary for the legitimate interests pursed by the school.
D. A state law requires facial recognition to verify attendance.

ANSWER: D
Explanation:
QUESTION: 126

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the
company encrypt all personal data at rest. Which GDPR principle is she following?

A. Accuracy
B. Storage Limitation
C. Integrity and confidentiality
D. Lawfulness, fairness and transparency

ANSWER: C
Explanation: Integrity and Confidentiality are foundational principles which protect data subject’s privacy by
ensuring safeguard standards such as data encryption, inter alia. Article 5(1)(f) avers that data must be processed
in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or
organisational measures (‘integrity and confidentiality’)

QUESTION: 127

Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can
demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on
Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the
following to demonstrate that it has such legitimate grounds EXCEPT?

A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.
B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.
C. Demonstrate that the profiling is for the purposes of direct marketing.
D. Consider the importance of the profiling to their particular objective.

ANSWER: C
Explanation: Direct marketing purposes as grounds for processing form an exception under profiling in GDPR.

QUESTION: 128

SCENARIO
Please use the following to answer the next question:

In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered
data processor activity?

A. If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy.
B. If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its
algorithms.
C. If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product
improvement activities

D. If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use
their information for its product improvement activities

ANSWER: B
Explanation: One has to differentiate between processing and joint control (Art. 26 GDPR), where both parties
jointly define the purposes and means for the data processing and are thus also jointly responsible for these. In a
controller-processor relationship, the latter is only allowed to process personal data based on the documented
instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract,
without the prior specific or general written authorization of the respective controller. In case of a general
authorization, the processor has to inform him about any relevant changes regarding the processing.

QUESTION: 129

What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

A. The requirements affected individuals without exception.

B. The requirements were financially burdensome to EU businesses.
C. The requirements specified that data must be held within the EU.
D. The requirements had limitations on how national authorities could use data.

ANSWER: A
Explanation:
On April 8, 2014, the European Court of Justice ruled that the EU Data Retention Directive is invalid because it
disproportionally interferes with the European citizens' rights to private life and protection of personal data. The
Court's ruling applies retroactively to the day the Directive entered into force.

QUESTION: 130

Many businesses print their employees’ photographs on building passes, so that employees can be identified by
security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the
GDPR. Why would such practice be permitted?

A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
B. Because photographs qualify as biometric data only when they undergo a “specific technical processing”.
C. Because employees are deemed to have given their explicit consent when they agree to be photographed by their
employer.
D. Because photographic ID is a physical security measure which is “necessary for reasons of substantial public
interest”.

ANSWER: B
Explanation: Biometric data is personal data resulting from specific technical processing relating to the physical,
physiological or behavioral characteristics of individuals. Today’s most common examples of processing
activities involving biometric data are facial or iris scans, voice recognition applications and fingerprint access
systems. However, photographs are not biometric data unless they undergo specific technical processing. Only if
the processing operation falls within one of the exemptions under article 9(2) GDPR, organizations may process
biometric data for the purpose of uniquely identifying individuals.

QUESTION: 131

SCENARIO
Please use the following to answer the next question:

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No
Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask
Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop
using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims
Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock
also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for
marketing purposes; according to
Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the
contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable
to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to
complain to the data protection authority, because he thinks their company has been using his data unlawfully.
His letter states that he does not want his data being used by them in any way. Accidentable’s response letter
confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received
information about Louis’s accident from Bedrock shortly after

Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as
Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for
business purposes. Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them
insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

A. Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically
feasible.
B. Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply
where personal data are processed in order to carry out tasks in the public interest.
C. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever
personal data are processed by automated means and necessary for the performance of a contract with the
customer.
D. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to
develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to
other insurers on request.

ANSWER: A
Explanation: Article 20 of GDPR governs data portability rights of data subjects. For an organization like
Bedrock, it must comply with Article 20(2) exercising his or her right to data portability, the data subject shall
have the right to have the personal data transmitted directly from one controller to another, where technically
feasible. However, since it was not technically feasible in the present case, Bedrock does not have a duty to such
transfer. Further, through Article 20(3), this right shall not apply to processing necessary for the performance of
a task carried out in the public interest or in the exercise of official authority vested in the controller.
QUESTION: 132

In the event of a data breach, which type of information are data controllers NOT required to provide to either the
supervisory authorities or the data subjects?

A. The predicted consequences of the breach.

B. The measures being taken to address the breach.
C. The type of security safeguards used to protect the data.
D. The contact details of the appropriate data protection officer.

ANSWER:
Explanation: Through Article 33(3) of GDPR, a notification alerting a data breach must describe the nature of the
personal data breach including where possible, the categories and approximate number of data subjects concerned
and the categories and approximate number of personal data records concerned; communicate the name and contact
details of the data protection officer or other contact point where more information can be obtained; describe the
likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the
controller to address the personal data breach, including, where appropriate, measures to mitigate its possible
adverse effects.

QUESTION: 133

According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company
providing services via an Internet website confirmed by the GDPR?

A. Where the technology supporting the website is located

B. Where the website is accessed
C. Where the decisions about processing are made
D. Where the customer’s Internet service provider is located

ANSWER: C
Explanation: Vide Article (19), the place at which a service provider is established should be determined as per
the pursuit of an economic activity through a fixed establishment for an indefinite period; this requirement is also
fulfilled where a company is constituted for a given period;

QUESTION: 134

A worker in a European Union (EU) member state has ceased his employment with a company. What should the
employer most likely do in regard to the worker’s personal data?

A. Destroy sensitive information and store the rest per applicable data protection rules.
B. Store all of the data in case the departing worker makes a subject access request.
C. Securely store the data that is required to be kept under local law.
D. Provide the employee the reasons for retaining the data.

ANSWER: C
Explanation: As per the 14. 5 of the Official Document it is provided that data of the former employee that must
be retained should be securely archived.

QUESTION: 135

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules
(BCRs) as a controller or processor?

A. Employees must sign an ad hoc contractual agreement each time personal data is exported.
B. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is
established.
D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from
legal enforcement

ANSWER: B

QUESTION: 136

According to the European Data Protection Board, which of the following concepts or practices does NOT follow
from the principles relating to the processing of personal data under EU data protection law?
A. Data ownership allocation.

B. Access control management.

C. Frequent pseudonymization key rotation.
D. Error propagation avoidance along the processing chain.

ANSWER:A
EXPLANATION: As per Guideline 4/2019 released by EDPB the concepts which follow the principles relating
to processing of personal data are access control management, frequent pseudonymization and error propagation
avoidance along the processing chain.

QUESTION: 137

SCENARIO
Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in
Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick,
which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns
designed to highlight the environmental and economic benefits of their products. After months of planning, Liem
and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the
campaigns to their respective contacts. Liem and EcoMick also entered into a data processing agreement with
MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and
making available to them all information necessary to demonstrate compliance with GDPR obligations.

Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped
EcoMick, nor provided her personal data to that company.

Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

A. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the
marketing campaigns should be rolled out.
B. EcoMick and JaphSoft are a controller and Liem is a processor because EcoMick is sharing its marketing data
with Liem for contacts in Europe
C. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
D. Liem and EcoMick are joint controllers because they carry out joint marketing activities.

ANSWER: B
EXPLANATION: Art 26(1) of the GDPR states that where two or more controllers jointly determine the purposes
and means of processing, they shall be joint controllers. Here, both Liem and EcoMick jointly determined to carry
out marketing purposes, which makes them joint controllers.

QUESTION: 138

SCENARIO
Please use the following to answer the next question:

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find
that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many
years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as
Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for
business purposes.Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them
insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have
grounds for refusing to comply?
A. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
B. If Accidentable also uses the data to conduct public health research.
C. If the data becomes necessary to defend Accidentable’s legal rights.
D. If the accuracy of the data is not an aspect that Louis is disputing.
ANSWER: C
EXPLANATION: Art 18(1) (c) of the GDPR provides exception to right to restriction of processing of personal
data which states such request to restrict processing personal data can be denied if it's for defense or legal claims.

QUESTION: 139

SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy
and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U
maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence.
Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered
into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U
content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information
regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.

What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

A. Conduct analysis only on anonymized personal data.

B. Conduct analysis only on pseudonymized personal data.
C. Delete all data collected prior to May 2018 after conducting the trend analysis.
D. Procure a third party to conduct the analysis and delete the data from Market4U’s systems.

ANSWER: A
EXPLANATION:
QUESTION: 140

What type of data lies beyond the scope of the General Data Protection Regulation?

A. Pseudonymized
B. Anonymized
C. Encrypted
D. Masked

ANSWER: B
EXPLANATION: As per recital 26 of the GDPR anonymized data does not fall within the scope of GDPR.

QUESTION: 141

Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

A. A voluntary notification for personal data breaches applicable to all data controllers.
B. A voluntary notification for personal data breaches applicable to electronic communication providers.
C. A mandatory notification for personal data breaches applicable to all data controllers.
D. A mandatory notification for personal data breaches applicable to electronic communication providers.

ANSWER: D
1. EXPLANATION: As per 10.3 of the Official Textbook, 2009 amendment introduced mandatory
notification for personal data breaches applicable to electronic communication providers.

QUESTION: 142

If a company chooses to ground an international data transfer on the contractual route, which of the following is
NOT a valid set of standard contractual clauses?

A. Decision 2001/497/EC (EU controller to non-EU or EEA controller).

B. Decision 2004/915/EC (EU controller to non-EU or EEA controller).

C. Decision 2007/72/EC (EU processor to non-EU or EEA controller).

D. Decision 2010/87/EU (Non-EU or EEA processor from EU controller).
ANSWER: C
EXPLANATION: Decision 2001/497/EC deals with standard contractual clauses for the transfer of personal
data to third countries, Decision 2004/915/EC deals with amending the Decision 2001/497/EC as regards the
introduction of an alternative set of standard contractual clauses for the transfer of personal data to third
countries and Decision 2010/87/EU deals with standard contractual clauses for the transfer of personal data
to processors established in third countries.

QUESTION: 143

SCENARIO
Please use the following to answer the next question:

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is
exploring a number of plans to expand its customer base.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA
reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name,
birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

The Customer for Life plan may conflict with which GDPR provision?

A. Article 6, which requires processing to be lawful.

B. Article 7, which requires consent to be as easy to withdraw as it is to give.

C. Article 16, which provides data subjects with rights to rectification.
D. Article 20, which gives data subjects a right to data portability.

ANSWER: B
EXPLANATION: Art 7(3) of the GDPR provides that customers should have the right to withdraw their consent
at any time.

QUESTION: 144

With the issue of consent, the GDPR allows member states some choice regarding what?

A. The mechanisms through which consent may be communicated

B. The circumstances in which silence or inactivity may constitute consent
C. The age at which children must be required to obtain parental consent
D. The timeframe in which data subjects are allowed to withdraw their consent

ANSWER: C
EXPLANATION: Art 8(1) of the GDPR it provides that member state can lower the age for children’s consent
provided it is not below 13 years of age.

QUESTION: 145

SCENARIO
Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is
headquartered in Montreal, and all of its employees are located there. The company offers its services to
Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet
traffic from outside of Canada (although this solution doesn’t prevent all nonCanadian traffic). It also declines to
process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-
Canadian return address. Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the
EU, and the company is exploring a number of plans to expand its customer base.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA
reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name,
birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

A. The company isn’t a controller established in the Union.

B. The laptop belonged to a company located in Canada.
C. The data isn’t considered personally identifiable financial information.
D. There is no evidence that the thieves have accessed the data on the laptop.

ANSWER: A
EXPLANATION: Art 3(1) provides that GDPR is applicable to those controller/processor which are established
in the Union. Since Who-R-U is a Canadian Company, it is not required to notify the local German DPA.

QUESTION: 146

What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?

A. To encourage the consistency of local data processing activity.

B. To give corporations a choice about who their supervisory authority will be.
C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in
a member state
D. To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.

ANSWER: D

QUESTION: 147

Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle
found in the GDPR?

A. The obligation of companies to declare data breaches.

B. The requirement to demonstrate compliance to a supervisory authority.
C. The necessity of the bulk collection of personal data by the government.
D. The requirement for the free flow of personal data between its Contracting Parties
ANSWER: B

QUESTION: 148

When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

A. When the data has been pseudonymized.

B. When the data is protected by technological safeguards.
C. When the data serves the legitimate interest of third parties.

D. When the data subject has failed to use a provided opt-out mechanism.
ANSWER: B

QUESTION: 149

SCENARIO
Please use the following to answer the next question:

IT department to make copies of the computer hard drives from the entire global sales team, including the
European Union, and send everything to her so that she can review everyone’s information. Alice believes that
Joe will be happy that she did the first level review, as it will save the company a lot of money that would
otherwise be paid to its outside law firm.

In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT Department violated
Article 5 of the GDPR because the company failed to first do what?

A. Send out consent forms to all of its employees.

B. Minimize the amount of data collected for the lawsuit.
C. Inform all of its employees about the lawsuit.
D. Encrypt the data from all of its employees.

ANSWER: B
EXPLANATION: Art 5(1) (c) of the GDPR provides that data shall be collected limited to what is necessary in
relation to the purposes for which they are processed.

QUESTION: 150
Which type of personal data does the GDPR define as a “special category” of personal data?

A. Educational history.
B. Trade-union membership.
C. Closed Circuit Television (CCTV) footage.
D. Financial information.

ANSWER: B
EXPLANATION: Art 9 (1) defines sensitive personal data which includes Trade-Union membership within its
scope.

QUESTION: 151

An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect
to his own personal data. Under what condition can the organisation charge the data subject for processing the
request?

A. Only where the organisation can show that it is reasonable to do so because more than one request was made.

B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.
C. Only where the administrative costs of taking the action requested exceeds a certain threshold.

D. Only if the organisation can demonstrate that the request is clearly excessive or misguided.

ANSWER: D
EXPLANATION: As per Art 12(5) of the GDPR if the requests from a data subject are manifestly unfounded or
excessive then the organization can charge a reasonable fee.

QUESTION: 152

There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the
processor. These include all of the following EXCEPT?

A. Consent management and withdrawal.

B. Incident detection and response.
C. Preventative security.
D. Remedial security.

ANSWER: A
EXPLANATION: 10.2.1 of the Official Textbook the three domains of security covered by Art 32 are: Incident
detection and response, preventive security and remedial security.

QUESTION: 153

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data
access request?

A. Within 40 days of receipt

B. Within 40 days of receipt, which may be extended by up to 40 additional days
C. Within one month of receipt, which may be extended by up to an additional month
D. Within one month of receipt, which may be extended by an additional two months

ANSWER: D
EXPLANATION: As per Art 12(3) of the GDPR time limit for complying with the request is within one month
of receipt, which may be extended by an additional two months.

QUESTION: 154

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect
to his own personal data. Under what condition can the organization charge the data subject a fee for processing
the request?

A. Only where the organization can show that it is reasonable to do so because more than one request was made.
B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.
C. Only where the administrative costs of taking the action requested exceeds a certain threshold.
D. Only if the organization can demonstrate that the request is clearly excessive or misguided

ANSWER: D
EXPLANATION: As per Art 12(5) of the GDPR if the requests from a data subject are manifestly unfounded or
excessive then the organization can charge a reasonable fee.

QUESTION: 155

To which of the following parties does the territorial scope of the GDPR does NOT apply?
A. All member countries of the European Economic Area.
B. All member countries party to the Treaty of Lisbon.
C. All member countries party to the Paris Agreement.
D. All member countries of the European Union.
ANSWER: A
EXPLANATION:

QUESTION: 156

How does the GDPR now define “processing”?

A. Any act involving the collecting and recording of personal data.

B. Any operation or set of operations performed on personal data or on sets of personal data.
C. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

ANSWER: B
EXPLANATION: Art 4(2) of the GDPR defines processing as any operation or set of operations which is
performed on personal data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction.

QUESTION: 157

Which statement is correct when considering the right to privacy under Article 8 of the European Convention on
Human Rights (ECHR)?

A. The right to privacy is an absolute right

B. The right to privacy has to be balanced between other rights under the ECHR
C. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

ANSWER: B

QUESTION: 158

In which situation would a data controller most likely be able to justify the processing of the data of a child
without parental consent?

A. When the data is to be processed for market research.

B. When providing preventive or counselling services to the child.
C. When providing the child with materials purely for educational use.
D. When a legitimate business interest makes obtaining consent impractical.

ANSWER: B
EXPLANATION:

QUESTION: 159

Which of the following countries will continue to enjoy adequate status under the GDPR, pending any future
European Commission decision to the contrary?

A. Greece
B. Norway
C. Australia
D. Switzerland

ANSWER: D
EXPLANATION: The Official Website of the European Commission provides a list of countries enjoying
adequate status and it includes Switzerland.

QUESTION: 160
To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base,
password- protected, listing all the social network followers of the client. Regarding the domain of the controller-
processor relationships, how is this situation considered?

A. Compliant with the security principle, because the data base is password-protected.
B. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
C. Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data
subject.
D. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.

ANSWER: B
EXPLANATION: Option (b) is in violation of purpose limitation principle as provided in Art 5(1)(b).

QUESTION: 161

SCENARIO
Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the
industry.

● Name
● Address
● Date of Birth
● Payroll Number
● National Insurance Number
● Sick Pay Entitlement
● Maternity/ Paternity Pay Entitlement
● Holiday Entitlement
● Pension and Benefits Contributions
● Trade Union Contributions

Jenny is the compliance officer at Company

A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the
new time and attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company
B to use the time and attendance data only for the purpose of providing the payroll service, and to apply
appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that
Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the
interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract. Weeks
later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance
the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal
data from Company B’s live systems in order to create a new database for Company. Their omission of data
protection provisions in their contract with Company C.

B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the
industry. Company B’s payroll solution for Company A relies on the collection of time and attendance data
obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any
biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the
payroll service. Company B’s live systems will contain the following information for each of Company A’s
employees:
● Name
● Address
● Date of Birth
● Payroll Number
● National Insurance Number
● Sick Pay Entitlement
● Maternity/ Paternity Pay Entitlement
● Holiday Entitlement
● Pension and Benefits Contributions
● Trade Union Contributions
Jenny is the compliance officer at Company This database will be stored in a test environment hosted on Company
C’s U.S. server. The two companies agree not to include any data processing provisions in their services
agreement, as data is only being used for IT testing purposes. Unfortunately, Company C’s U.S. server is only
protected by an outdated IT security system, and suffers a cyber-security incident soon after Company C begins
work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company
C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in
connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all
affected employees.

Under the GDPR, which of Company B’s actions would NOT be likely to trigger a potential enforcement action?

A. Their omission of data protection provisions in their contract with Company C.

B. Their failure to provide sufficient security safeguards to Company A’s data
C. Their engagement with Company C to improve their payroll service.
D. Their decision to operate without a data protection officer.

ANSWER: D
EXPLANATION: All other options are in violation of the GDPR provisions.

QUESTION: 162

Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a
single data protection officer?

A. The group of undertakings must obtain approval from a supervisory authority.

B. The group of undertakings must be comprised of organizations of similar sizes and function

C. The data protection officer must be located in the country where the data controller has its main establishment.
D. The data protection officer must be easily accessible from each establishment where the undertakings are located.

ANSWER: D
EXPLANATION: Art 37(2) of the GDPR mentions that A group of undertakings may appoint a single data
protection officer provided that a data protection officer is easily accessible from each establishment.
QUESTION: 163

SCENARIO
Please use the following to answer the next question:

Ben’s collection of additional data from customers created several potential issues for the company, which would
most likely require what?

A. New corporate governance and code of conduct.

B. A data protection impact assessment.
C. A comprehensive data inventory.
D. Hiring a data protection officer.

ANSWER: B
EXPLANATION:

QUESTION: 164

SCENARIO
Please use the following to answer the next question:

Registration Form

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first
complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older,
unless parental consent has been given to minors intending to use it.)
● First Name
● Surname
● Year of Birth
● Email
● Physical Address (optional)
● Health Status

1. Jurisdiction. […]
2. Applicable law. […]
3. Limitation of liability. […]
4. Consent

If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do
what?

A. Provide the user with logs of data collected through use of the app.

B. Erase any data collected from the time the app was first used.
C. Inform any third parties of the user’s withdrawal of consent.
D. Cease processing any data collected through use of the app.

ANSWER: D
EXPLANATION:

QUESTION: 165

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

A. When the controller is collecting email addresses from individuals via an online registration form for marketing
purposes.
B. When personal data is being collected and combined with other personal data to profile the creditworthiness of
individuals.
C. When the controller is required to have a Data Protection Officer.
D. When personal data is being transferred outside of the EEA.

ANSWER: B
EXPLANATION: As per Art 34(3)(a) of the GDPR it provides that DPIA is when there is a mandatory a
systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated
processing, including profiling,

QUESTION: 166
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

A. Incidents of personal data breaches, whether disclosed or not.

B. Data inventory or data mapping exercises that have been conducted.
C. Categories of recipients to whom the personal data have been disclosed.

D. Retention periods for erasure and deletion of categories of personal data.

ANSWER: A
EXPLANATION: All other options except Aare compulsory requirement under Art 30 of the GDPR.

QUESTION: 167

Which of the following would most likely NOT be covered by the definition of “personal data” under the GDPR?

A. The payment card number of a Dutch citizen

B. The U.S. social security number of an American citizen living in France
C. The unlinked aggregated data used for statistical purposes by an Italian company
D. The identification number of a German candidate for a professional examination in Germany

ANSWER: C
EXPLANATION: Art 4(1) of the GDPR provides the definition of Personal Data.

QUESTION: 168

SCENARIO
Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while
Frank is a lecturer in the engineering department. The University maintains a number of types of records:
● Student records, including names, student numbers, home addresses, pre-university information, university
attendance and performance records, details of special educational needs and financial information.
● Staff records, including autobiographical materials (such as curricula, professional contact files, student
evaluations and other relevant teaching files).
● Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These
records are available to former students after registering through Granchester’s Alumni portal.
● Department for Education records, showing how certain demographic groups (such as first-generation students)
could be expected, on average, to progress.
● These records do not contain names or identification numbers. Under their security policy, the University encrypts
all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to
Department for Education expectations. He has attended one of Anna’s data protection training courses and knows
that he should use no more personal data than necessary to accomplish his goal. He creates a program that will
only export some student data: previous schools attended, grades originally obtained, grades currently obtained
and first Time University attended. He wants to keep the records at the individual student level. Mindful of Anna’s
training, Frank runs the student numbers through an algorithm to transform them into different reference numbers.
He uses the same algorithm on each occasion so that he can update each record over time. One of Anna’s tasks is
to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as
required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Before Anna determines whether Frank’s performance database is permissible, what additional information does
she need?

A. More information about Frank’s data protection training.

B. More information about the extent of the information loss.
C. More information about the algorithm Frank used to mask student numbers.
D. More information about what students have been told and how the research will be used.
ANSWER: D
EXPLANATION: Before deciding the validity of the database it has to be determined whether there was lawful
processing of data. That is, whether the requirements of valid consent as provided in Art 6 has been fulfilled.

QUESTION: 169

SCENARIO
Please use the following to answer the next question:

For what reason would JaphSoft be considered a controller under the GDPR?

A. It determines how long to retain the personal data collected.

B. It has been provided access to personal data in the MarketIQ database.
C. It uses personal data to improve its products and services for its client-base through machine learning.
D. It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

ANSWER: A

QUESTION: 170

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By
collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses
machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs
who are not in its data set based the algorithm and its existing data. The service collects photographs of data
subjects in the European Union and will identify them if presented with their photographs. Bioface offers its
service to government agencies and companies in the United States and Canada, but not to those in the European
Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A. It collects data from European Union websites, which constitutes an establishment in the European Union.
B. It offers services in the European Union by identifying data subjects in the European Union.
C. It collects data from subjects and uses it for automated processing.
D. It monitors the behavior of data subjects in the European Union.

ANSWER: A
EXPLANATION: As per Art 3(2) of the GDPR, since Bioface collects data of individual residing in EU, it will
be subject to GDPR provisions.
QUESTION: 171

SCENARIO

Please use the following to answer the next question:

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over
Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland
so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter,
Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard
about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up
Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in
place a legal mechanism to transfer data internally from the company’s operations in the European Union to the
U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major
lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice
instructs the company’s IT department to make copies of the computer hard drives from the entire global sales
team, including the European Union, and send everything to her so that she can review everyone’s information.
Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money
that would otherwise be paid to its outside law firm.

When Ben had the company collect additional data from its customers, the most serious violation of the GDPR
occurred because the processing of the data created what?

A. An information security risk by copying the data into a new database.

B. A potential legal liability and financial exposure from its customers.

C. A significant risk to the customers’ fundamental rights and freedoms.
D. A significant risk due to the lack of an informed consent mechanism.

ANSWER: C
EXPLANATION: The additional data collected by Ben would fall under the category of sensitive personal data
which would pose significant risk to customer’s fundamental rights if not adequately secured.

QUESTION: 172

In which of the following situations would an individual be most likely to be able to withdraw her consent for
processing?

A. When she is leaving her bank and moving to another bank.

B. When she has recently changed jobs and no longer works for the same company.
C. When she disagrees with a diagnosis her doctor has recorded on her records.
D. When she no longer wishes to be sent marketing materials from an organization.

ANSWER: D
EXPLANATION: As per Art 18(1)(c) of the GDPR individual can restrict the processing of personal data by
withdrawing consent if it is not related to defense or legal claims. Apart from (d) all options would fall under the
exemption.
QUESTION: 173

Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as expressly
required by Article 5 of the GDPR?

A. Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers
to compliance with government regulations.
B. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of
company guidelines by the state; transparency solely relates to communication of key information before
collecting data.
C. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances
to ensure they are uniformly enforced.

D. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be
uniform; transparency refers to giving individuals access to their data.

ANSWER: A
EXPLANATION: Art 5 (1) of the GDPR provides that Personal data shall be processed lawfully, fairly and in a
transparent manner in relation to the data subject

QUESTION: 174

What is the consequence if a processor makes an independent decision regarding the purposes and means of
processing it carries out on behalf of a controller?

A. The controller will be liable to pay an administrative fine

B. The processor will be liable to pay compensation to affected data subjects
C. The processor will be considered to be a controller in respect of the processing concerned
D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more
of the parties involved

ANSWER: C
EXPLANATION: As per Art 82(2), processor shall be held liable where it has acted outside or contrary to lawful
instructions of the controller.
QUESTION: 175

A company plans to transfer employee health information between two of its entities in France. To maintain the
security of the processing, what would be the most important security measure to apply to the health data
transmission?

A. Inform the data subject of the security measures in place.

B. Ensure that the receiving entity has signed a data processing agreement.
C. Encrypt the transferred data in transit and at rest.
D. Conduct a data protection impact assessment.

ANSWER: B
EXPLANATION:

QUESTION: 176

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data
transfer solution. Which of the following statements would help the company make an effective decision?

A. Binding Corporate Rules are especially recommended for small and medium companies.
B. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
C. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-
group agreement.
D. The company will need the prior authorization of all EU data protection authorities for concluding Standard
Contractual Clauses.

ANSWER: C
EXPLANATION: Binding corporate rules (BCR) are data protection policies adhered to by companies
established in the EU for transfers of personal data outside the EU within a group of undertakings or
enterprises. Such rules must include all general data protection principles and enforceable rights to
ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every
member concerned of the group.
QUESTION: 177

SCENARIO
Please use the following to answer the next question:

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to
Department for Education expectations. He has attended one of Anna’s data protection training courses and knows
that he should use no more personal data than necessary to accomplish his goal. He creates a program that will
only export some student data: previous schools attended, grades originally obtained, grades currently obtained
and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s
training, Frank runs the student numbers through an algorithm to transform them into different reference numbers.
He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving
her email reminder, Frank informs Anna about his performance database.

Anna will find that a risk analysis is NOT necessary in this situation as long as?

A. The data subjects are no longer current students of Frank’s

B. The processing will not negatively affect the rights of the data subjects
C. The algorithms that Frank uses for the processing are technologically sound
D. The data subjects gave their unambiguous consent for the original processing

ANSWER: B
EXPLANATION: Risk analysis would be required when processing of personal data would affect the rights of
the data subjects.

QUESTION: 178

SCENARIO

Please use the following to answer the next question:

Natural Insight’s machine learning algorithms.

What is the nature of BHealthy and Natural Insight’s relationship?

A. Natural Insight is BHealthy’s processor because the companies entered into data processing terms.

B. Natural Insight is BHealthy’s processor because BHealthy is sharing its customer information with Natural
Insight.
C. Natural Insight is the controller because it determines the security measures to implement to protect data it
processes; BHealthy is a co-controller because it engaged Natural Insight to determine pricing for the new
sunscreens.
D. Natural Insight is a controller because it separately determines the purpose of processing when it uses BHealthy’s
customer information to improve its machine learning algorithms.

ANSWER: A
EXPLANATION: Natural Insight is BHealthy’s processor since the companies have entered into data processing
terms.

QUESTION: 179

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own
Device (BYOD) programs?

A. Data subjects must be sufficiently informed of the purposes for which their personal data is processed.
B. Processing of special categories of personal data on a large scale requires appointing a DPO.

C. Personal data of data subjects must always be accurate and kept up to date.
D. Data controllers must be in control of the data they hold at all times.

ANSWER: D
EXPLANATION: Bring your own device (BYOD) poses certain data protection compliance issues since the
employer remains responsible as a controller for any personal data processed on the employee’s device for work-
related purposes using the work email settings. But the device also contains information about the employee’s
personal life that an employer would not usually have a lawful reason to access.

QUESTION: 180

When would a data subject NOT be able to exercise the right to portability?

A. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
B. When the processing is carried out pursuant to a contract with the data subject.
C. When the data was supplied to the controller by the data subject.
D. When the processing is based on consent.

ANSWER: A
EXPLANATION: According to Article 20(3) GDPR, the right shall not apply to processing necessary for the
performance of a task carried out in the public interest or in the exercise of official authority vested in the
controller.

QUESTION: 181

The GDPR requires controllers to supply data subjects with detailed information about the processing of their
data. Where a controller obtains data directly from data subjects, which of the following items of information
does NOT legally have to be supplied?

A. The recipients or categories of recipients.

B. The categories of personal data concerned.
C. The rights of access, erasure, restriction, and portability.
D. The right to lodge a complaint with a supervisory authority.

ANSWER: B

EXPLANATION: Article 13(1) does not legally require the controller to supply categories of personal data
concerned where the data is obtained directly from data subjects.

QUESTION: 182

What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice
of the European Union (CJEU) in relation to their roles and functions?

A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.
B. CJEU can force national governments to implement and honor EU law, while the ECHR cannot.
C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.
D. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.
ANSWER: B
EXPLANATION: ECHR is only binding on the member states while The CJEU is the judicial body of the EU
that makes decisions on issues of EU law and enforces European decisions either in respect of actions taken by
the Commission against a member state or action taken by an individual to enforce their rights under EU law.

QUESTION: 183

An employee of company ABCD has just noticed a memory stick containing records of client data, including
their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear
text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an
employee. What should the company do?

A. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
B. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
C. Invoke the “disproportionate effort” exception under Article 33 to postpone notifying data subjects until more
information can be gathered.
D. Immediately notify all the customers of the company that their information has been accessed by an unauthorized
person.

ANSWER: A
EXPLANATION: In the case of a loss of a USB key with unencrypted personal data it is often not possible to
ascertain whether unauthorized persons gained access to that data. Nevertheless, even though the
controller may not be able to establish if a confidentiality breach has taken place, such a case has to
be notified as there is a reasonable degree of certainty that an availability breach has occurred; the
controller would become “aware” when it realized the USB key had been lost.

QUESTION: 184

Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection
laws throughout the European Union?

A. That it essentially functions as a one-stop shop mechanism

B. That it takes the form of a Regulation as opposed to a Directive
C. That it makes notification of large-scale data breaches mandatory
D. That it makes appointment of a data protection officer mandatory

ANSWER: B

QUESTION: 185

What are the obligations of a processor that engages a sub-processor?

A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.
B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-
processor’s performance.

C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the
performance of its obligations in relation to the personal data concerned.
D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data
processing obligations that are equivalent to those that apply to the processor.

ANSWER: D
EXPLANATION: According to Article 28(2) GDPR, the processor shall not engage another processor without
prior specific or general written authorization of the controller. In the case of general written authorization, the
processor shall inform the controller of any intended changes concerning the addition or replacement of other
processors, thereby giving the controller the opportunity to object to such changes.

QUESTION: 186

SCENARIO
Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-
dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This
year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to
triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben
decided to join his father’s company, but is also secretly working on launching a new global online dating website
company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might
also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal
and requires customers in the European Union and elsewhere to provide additional personal information in order
to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions
and marital status.

The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval
from?

A. The Court of Justice of the European Union.

B. The European Data Protection Board.
C. The Data Protection Authority.
D. The European Commission.

ANSWER: C
EXPLANATION: According to Article 47, the competent supervisory authority shall approve binding corporate
rules in accordance with the consistency mechanism set out in Article 63.

QUESTION: 187

SCENARIO
Please use the following to answer the next question:

What presents the BIGGEST potential privacy issue with the company’s practices?

A. The NFC portal can read any data stored in the action figures
B. The information about the data processing involved has not been specified

C. The cloud service provider is in a country that has not been deemed adequate
D. The RFID tag in the action figures has the potential for misuse because of the toy’s evolving capabilities

ANSWER: B
EXPLANATION: According to Article 12, the controller shall take appropriate measures to provide any
information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to
processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and
plain language, in particular for any information addressed specifically to a child.

QUESTION: 188

Which of the following was the first to implement national law for data protection in 1973?

A. France
B. Sweden
C. Germany
D. United Kingdom

ANSWER: B
EXPLANATION: Sweden created the Data Act, the first national privacy law in 1973.

QUESTION: 189

SCENARIO
Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new
manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research,
he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a
new, cutting-edge website for TripBliss Inc. 's founding business.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard
practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files
gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his
dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment
at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the
following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial
intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon
experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the
data from the USB stick and inform his manager that the company’s system of access control must be
reconsidered.

With regard to TripBliss Inc.’s use of website cookies, which of the following statements is correct?

A. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc.,
consent requirements apply to their use of cookies.
B. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately
from customers.
C. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent
is necessary.
D. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from
customers.

ANSWER: A

QUESTION: 190

SCENARIO
Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for
the purposes of the GDPR maintains its primary establishment in France. Javier lives in

Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two
years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in
Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told
that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen
into disrepute due to widespread mistreatment of members at various branches of the club in several EU member
states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the
fitness club After numerous failed attempts to book an appointment with the manager of the local branch to
discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and
all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes
very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he
decides to take action against the company.

Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge
a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the
supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has
an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR.
The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the
supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant
to the consistency mechanism, issues a binding decision. Additionally, Javier sues EVERFIT for the damages
caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers,
and that each of those branches were responsible for mishandling Javier’s request, how may Javier proceed in
order to seek compensation?

A. He will have to sue EVETFIT's head office in France, where EVETFIT has its main establishment.
B. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire
damage.
C. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation
commensurate with its contribution to the damage or distress suffered by Javier.
D. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT
branch is liable for damages, based on the decision that was made by the board.

ANSWER: C

QUESTION: 191

Which of the following is the weakest lawful basis for processing employee personal data?

A. Processing based on fulfilling an employment contract.

B. Processing based on employee consent.
C. Processing based on legitimate interests.
D. Processing based on legal obligation

ANSWER: B
EXPLANATION: Recital 43 of the Regulation specifically states that consent should not provide a valid legal
ground for processing of personal data in a specific case where there is a clear imbalance between the data subject
and controller. Employees may feel pressured into providing consent to the use of their data because they may
fear that to refuse would have a prejudicial effect on their employment.
QUESTION: 192

Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a
privacy group litigation or class action. These organizations are commonly known as?

A. Law firm organizations.

B. Civil society organizations.
C. Human rights organizations.
D. Constitutional rights organizations.

ANSWER: B
EXPLANATION: The data subject shall have the right to mandate a not-for-profit body, organization or
association which has been properly constituted in accordance with the law of a Member State, has statutory
objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and
freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf.

QUESTION: 193

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries
under Article 42?

A. Approved certifications.
B. Binding corporate rules.
C. Law enforcement requests.
D. Standard contractual clauses.

ANSWER: A
EXPLANATION: Article 25 provides that an approved certification mechanism – created pursuant to Article 42
of the Regulation – may be used as an element to demonstrate compliance.

QUESTION: 194
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers
and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online
shop’s PRIMARY obligation while engaging in this kind of profiling?

A. It must solicit informed consent through a notice on its website

B. It must seek authorization from the European supervisory authorities
C. It must be able to demonstrate a prior business relationship with the customers
D. It must prove that it uses sufficient security safeguards to protect customer data

ANSWER: A
EXPLANATION: According to Article 12 GDPR, the controller shall take appropriate measures to provide any
information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible
form, using clear and plain language. The information shall be provided in writing, or by other means, including,
where appropriate, by electronic means.

QUESTION: 195

Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive
(2006/24/EC). Why is the Directive no longer part of EU law?

A. The Directive was superseded by the EU Directive on Privacy and Electronic Communications.
B. The Directive was superseded by the General Data Protection Regulation.
C. The Directive was annulled by the Court of Justice of the European Union.
D. The Directive was annulled by the European Court of Human Rights.

ANSWER: C
EXPLANATION: The Court of Justice of the European Union declared the Data Retention Directive invalid
stating that despite the Directive’s legitimate purpose of fighting against serious crime and the protection of public
security, it does not meet the principle of proportionality and should provide more safeguards regarding the
protection of fundamental rights such as respect for private life and the protection of personal data.

QUESTION: 196

Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which occurs when
companies do what?
A. Choose the data protection officer that is most sympathetic to their business concerns.
B. Designate their main establishment in a member state with the most flexible practices.
C. File appeals of infringement judgments with more than one EU institution simultaneously.
D. Select third-party processors on the basis of cost rather than quality of privacy protection.

ANSWER: B
EXPLANATION: According to Article 29 Working Party, the GDPR does not permit forum shopping wherein a
company claims to have its main establishment in one Member State, but no effective and real exercise of
management activity or decision making over the processing of personal data takes place there.

QUESTION: 197

When collecting personal data in a European Union (EU) member state, what must a company do if it collects
personal data from a source other than the data subjects themselves?

A. Inform the subjects about the collection

B. Provide a public notice regarding the data
C. Upgrade security to match that of the source
D. Update the data within a reasonable timeframe

ANSWER: A
EXPLANATION: The controller shall take appropriate measures to provide any information referred to in
Articles 14 and any communication under relating to processing to the data subject in a concise, transparent,
intelligible and easily accessible form, using clear and plain language, in particular for any information addressed
specifically to a child.

QUESTION: 198

Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among
those granted?

A. Legislative powers.
B. Corrective powers.
C. Investigatory powers.
D. Authorization and advisory powers.

ANSWER: A
EXPLANATION: Article 58 of the GDPR does not grant the supervisory authorities' legislative powers.

QUESTION: 199

According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

A. To create and maintain records of processing activities.

B. To conduct Privacy Impact Assessments on behalf of the controller or processor.
C. To monitor compliance with other local or European data protection provisions.
D. To create procedures for notification of personal data breaches to competent supervisory authorities.

ANSWER: C
EXPLANATION: According to Article 39(1)(b), the data protection officer shall monitor compliance with this
Regulation, with other Union or Member State data protection provisions and with the policies of the controller
or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-
raising and training of staff involved in processing operations, and the related audits.

QUESTION: 200

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability
in the event of a security breach?

A. Documenting due diligence steps taken in the pre-contractual stage.

B. Conducting a risk assessment to analyze possible outsourcing threats.
C. Requiring that the processor directly notify the appropriate supervisory authority.
D. Maintaining evidence that the processor was the best possible market choice available.

ANSWER: C
EXPLANATION: According to Article 33, In the case of a personal data breach, the controller shall without
undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data
breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is
unlikely to result in a risk to the rights and freedoms of natural persons.

QUESTION: 201

SCENARIO
Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German
metropolitan cities. However, after a recent merger with another German-based company that was selling to a
broader European market, T- Craze revamped its marketing efforts to sell to a wider audience. These efforts
included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to
capture more information about visitors through the use of cookies. T-Craze also opened various office locations
throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and
main product-design office, its French affiliate became responsible for all marketing and sales activities. The
French affiliate recently procured the services of Right Target, a renowned marketing firm based in the
Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze
is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university
students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right
Target also ran subsequent campaigns for T-Craze, though with much less success. The last two campaigns
included a wider demographic group and resulted in countless unsubscribe requests, including a large number in
Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment
banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such
communications from the Right Target on behalf of TCraze.

Why does the Spanish supervisory authority notify the French supervisory authority when it opens an
investigation into T- Craze based on Sofia’s complaint?

A. T-Craze has a French affiliate.

B. The French affiliate procured the services of Right Target.
C. T-Craze conducts its marketing and sales activities in France.
D. The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.

ANSWER: C
EXPLANATION: Since T-Craze conducts all its marketing and sales activities in France, the Spanish supervisory
authority notified the French supervisory authority.

QUESTION: 202

What obligation does a data controller or processor have after appointing a data protection officer?

A. To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her
defined tasks.
B. To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or
her expert knowledge.
C. To ensure that the data protection officer acts as the sole point of contact for individuals’ questions about their
personal data.
D. To submit for approval to the data protection officer a code of conduct to govern organizational practices and
demonstrate compliance with data protection principles.

ANSWER: B
EXPLANATION: According to Article 38, the controller and processor shall support the data protection officer
in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and
access to personal data and processing operations, and to maintain his or her expert knowledge.

QUESTION: 203
Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data
on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take
a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?
A. The public
B. Company X
C. Law enforcement
D. The supervisory authority

ANSWER: B
EXPLANATION: According to Article 33(2), the processor shall notify the controller without undue delay after
becoming aware of a personal data breach.

QUESTION: 204
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future
European Commission decision to the contrary?
A. Greece
B. Norway
C. Australia
D. Switzerland

ANSWER: D
EXPLANATION: The European Commission recognized Andorra, Argentina, Canada, Faroe Islands, Guernsey,
the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection

QUESTION: 205
To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base,
password-protected, listing all the social network followers of the client. Regarding the domain of the controller-
processor relationships, how is this situation considered?
A. Compliant with the security principle, because the data base is password-protected.
B. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
C. Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data
subject.
D. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data
base.

ANSWER: B
EXPLANATION: The situation is considered non-compliant, as the storage of the data exceeds the tasks
contractually authorized by the controller violating the principle of storage limitation.

QUESTION: 206
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2
of the GDPR?
A. Anonymizing special categories of data.
B. Conducting regular audits of the data protection program.
C. Getting consent from the data subject for a cross border data transfer.
D. Encrypting data in transit and at rest using strong encryption algorithms.

ANSWER: B
EXPLANATION: The accountability principle requires that organizations put in place appropriate technical and
organizational measures and be able to demonstrate its effectiveness when requested.

QUESTION: 207
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed
that derogations may be relied upon under what condition?
A. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the
appropriate documents.
B. When it has been determined that adequate protection can be performed.
C. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
D. Only as a last resort and when interpreted restrictively.

ANSWER: D
Explanation: The EDPB confirmed that the derogations must be interpreted restrictively and only relied on as a
last resort, when the provision of adequate protection or appropriate safeguards for the personal data transferred
is not possible.

QUESTION: 208
The Planet 49 CJEU Judgement applies to?
A. Cookies used only by third parties.
B. Cookies that are deemed technically necessary.
C. Cookies regardless of whether the data accessed is personal or not.
D. Cookies where the data accessed is considered as personal data only.

ANSWER: C
EXPLANATION: According to the Planet 49 CJEU judgement, it does not matter whether the cookies constitute
personal data or not - Article 5(3) of the e-Privacy Directive (i.e., the cookie consent rule) applies to any
information installed or accessed from an individual's device.

QUESTION: 209
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based
common platform for collecting and sharing their customer data with each other, in order to integrate their
marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and
confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past
through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards
program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike
has signed the agreement to be a rewards program member. Now Mike wants to know what personal information
the company holds about him. He sends an email requesting access to his data, in order to exercise what he
believes are his data subject rights. What are ABC Hotel Chain and XYZ Travel Agency’s roles in this
relationship?
A. ABC Hotel Chain is the controller and XYZ Travel Agency is the processor.
B. XYZ Travel Agency is the controller and ABC Hotel Chain is the processor.
C. ABC Hotel Chain and XYZ Travel Agency are independent controllers.
D. ABC Hotel Chain and XYZ Travel Agency are joint controllers.

ANSWER: A
EXPLANATION: ABC Hotel chain determines the purposes and the means of processing of personal data while
XYZ Travel agency is processing data on behalf of ABC Hotel Chain.

QUESTION: 210
For which of the following operations would an employer most likely be justified in requesting the data subject’s
consent?
A. Posting an employee’s bicycle race photo on the company’s social media.
B. Processing an employee’s health certificate in order to provide sick leave.
C. Operating a CCTV system on company premises.
D. Assessing a potential employee’s job application.

ANSWER: A
EXPLANATION: Posting an employee’s bicycle race photo on the company’s social media would justify
requesting the data subject’s consent as the other operations would have deemed consent.

QUESTION: 211
The origin of privacy as a fundamental human right can be found in which document?
A. Universal Declaration of Human Rights 1948.
B. European Convention of Human Rights 1953.
C. OECD Guidelines on the Protection of Privacy 1980.
D. Charier of Fundamental Rights of the European Union 2000.
ANSWER: A
EXPLANATION: The right to privacy is recognized as a basic human right under Article 12 of the Universal
Declaration of Human Rights Act, 1948.

QUESTION: 212
Which statement provides an accurate description of a directive?
A. A directive specifies certain results that must be achieved, but each member state is free to decide how to turn
it into a national law
B. A directive has binding legal force throughout every member state and enters into force on a set date in all the
member states.
C. A directive is a legal act relating to specific cases and directed towards member states, companies 0' private
individuals.
D. A directive is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into
force.

ANSWER: B
EXPLANATION: Directives are a form of legislation binding upon member states, but they ‘leave to the
national authorities the choice of form and methods’ for implementation

QUESTION: 213
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has
developed a two-pronged strategy for growth:
1) expand ProStorage s global customer base and
2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently
been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel
to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work
together to manage her schedule and ensure that she is able to make all her medical appointments The latter has
become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was
hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to
connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the
doctors based on accommodate on requests Ruth made when she started a: ProStorage What transfer mechanism
did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
A. Ruth's implied consent.
B. Protecting the vital interest of Ruth
C. Performance of a contract with Ruth.
D. Protecting against legal liability from Ruth.

ANSWER: C
EXPLANATION:

QUESTION: 214[Question Incomplete]

Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has
developed a two-pronged strategy for growth:
1) expand ProStorage s global customer base and
2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently
been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel
to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work
together to manage her schedule and ensure that she is able to make all her medical appointments. The latter has
become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was
hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to
connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the
doctors based on accommodate on requests Ruth made when she started a: ProStorage Why was Jackie correct in
not completing a transfer impact assessment for HRYourWay?
A. HRYourWay was ultimately not selected
B. HRYourWay is not located in a third country.
C. ProStorage will obtain consent for all transfers.
D. ProStorage can rely on its Binding Corporate Rules

ANSWER: C
EXPLANATION:

QUESTION: 215
Higher fines are assessed for GDPR violations due to which of the following?
A. Failure to notify a supervisory authority and data subjects of a personal data breach
B. Violations of a data controller's obligations to obtain a child's consent
C. Failure to appoint a data protection officer.
D. Violations of a data subject's rights
ANSWER: B
EXPLANATION: Consent on activities which concern children is crucial in GDPR. The law places addititonal
obligations of obtaining of guardians associated with such children and compliance is higher. With higher
compliance safeguards, the fines imposed are also higher for violations which occur to obtain child’s valid
consent.

QUESTION: 216
A company would like to implement CCTV monitoring in its offices for safety and security purposes. Which of
the following would be the best legal basis for the company to rely upon?
A. Public interest.
B. Individual consent
C. Legitimate interest.
D. Exercise of pubic authority.

ANSWER: C

QUESTION: 217
According to the European Data Protection Board, data subjects should be aware of any video surveillance in
operation. How should a retail shop operator ensure that data subjects receive at information required for such a
purpose under EU data protection law?
A. The shop operator should post a copy of the manual of the video surveillance system in the shop and on its
social media channels.
B. The shop operator should provide full notice of the intended video surveillance outside the shop, for example
with a sign or a stand-up display.
C. The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects
every time they enter the shop.
D. The shop operator should provide the most important information on a clearly readable warning sign to data
subjects before they enter the monitored area, and additional mandatory details by other means.

ANSWER: D
EXPLANATION: Regarding video surveillance the most important information should be dis played on the
warning sign itself (first layer) while the further mandatory details may be provided by other means (second
layer). [edpb_guidelines_201903_videosurveillance.pdf]

QUESTION: 218
Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic
clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry
plans to email his current customer base to offer them a discount on their first purchase of such equipment. Jerry
tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?
A. Permit Jerry to carry out his plan on the basis of marketing similar products to existing customers.
B. Require Jerry to send all current customers a second notice to allow them to opt-in to marketing emails
C. Permit Jerry to carry out his marketing plan on the basis of legitimate interest
D. Require Jerry to include an option to opt out of marketing emails in the future

ANSWER: C
EXPLANATION:
The ePrivacy Directive allows a limited exemption from this strict opt-in requirement
for direct marketing by electronic mail to individuals whose details the data controller
obtained ‘in the context of the sale of a product or service’ (sometimes known as the
‘soft opt-in’ rule). This allows data controllers to send electronic mail marketing on an
opt-out basis provided that:
• The data controller obtained the individuals’ electronic mail contact details ‘in
the context of the sale of a product or a service’
• The data controller sends direct marketing to those individuals about ‘its own
similar products or services’ only
• The data controller clearly and distinctly gave those individuals the opportunity
to opt out of marketing by electronic mail in a way that is simple and free
of charge both at the time their details were initially collected and in each
subsequent marketing communication.

QUESTION: 219
A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The
camera does not film any public areas only areas that are the property of the homeowner. The system has seen
declared to the authorities per the homeowner's country law, and a placard indicating the area is being video
monitored is visible when entering the property Why can the homeowner NOT depend on the household
exemption with regards to the processing of the video images recorded by the surveillance camera system?
A. The surveillance camera system can potentially capture biometric information of the homeowner's family,
which would be considered a processing of special categories of personal data.
B. The homeowner has not specified which security measures ore in place as part of the surveillance camera
system
C. The GDPR specifically excludes surveillance camera images from the household exemption
D. The surveillance camera system can potentially film individuals who enter its filming perimeter

ANSWER: D
EXPLANATION: The data subjects entering the filming perimeter won’t be aware of being filmed by the
surveillance camera.

QUESTION: 220
Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the
ethical use of Artificial Intelligence?
A. It should be fair.
B. It should be lawful
C. It should prevent harm
D. It should respect human autonomy.

ANSWER: B
EXPLANATION: The 4 principles developed by the European AI Alliance regarding the ethical use of Artificial
Intelligence are: respect for human autonomy, prevention of harm, fairness and explicability.

QUESTION: 221
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope
of the GDPR or outside of it?
A. Outside the material scope of the GDPR, because transactions do not include personal data about data subjects
m the European Union.
B. Within the material scope of the GDPR but outside of the territorial scope, because blockchains are
decentralized.
C. Within the material scope of the GDPR to the extent that transactions include data subjects in the European
Union.
D. Outside the material scope of the GDPR, because transactions are for personal or household purposes

ANSWER: C
EXPLANATION: According to Article 3, This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not established in the Union, where the processing
activities are related to the offering of goods or services, irrespective of whether payment of the data subject is
required, to such data subjects in the Union.
QUESTION: 222
After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company
notify first under GDPR requirements?
A. Any parents of children whose personal data was compromised.
B. Any affected customers whose data was compromised.
C. A competent supervisory authority.
D. A local law enforcement agency

ANSWER: C
EXPLANATION: According to Article 33, in the case of a personal data breach, the controller shall without
undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data
breach to the supervisory authority competent in accordance with Article 55.

QUESTION: 223
If a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what
must the company do next, per GDPR requirements'?
A. Notify the police and file a criminal complaint about the incident
B. Start an investigation to understand the incident's possible scope, duration and nature
C. Send a notification to the competent supervisory authority describing the incident.
D. Send an email about the incident to all clients and ask them to change their passwords

ANSWER: B
EXPLANATION: As per the EDPB guidelines, the notification requirement triggers only when the controller is
aware of the incident and as per the EDPB guidelines example ‘A cybercriminal contacts the controller after
having hacked its system in order to ask for a ransom. In that case, after checking its system to confirm it has
been attacked the controller has clear evidence that a breach has occurred and there is no doubt that it has become
aware’ hence first we need to start the investigation first.

QUESTION: 224
If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT
be validly determined by said controllers?
A. The definition of a central contact point for data subjects.
B. The rules regarding the exercising of data subjects" rights.
C. The rules to provide information to data subjects in Articles 13 and 14.
D. The non-disclosure of the essence of their arrangement to data subjects

ANSWER: C
EXPLANATION: According to Article 26 GDPR, where two or more controllers jointly determine the purposes
and means of processing, they shall be joint controllers. They shall in a transparent manner determine their
respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the
exercising of the rights of the data subject and their respective duties to provide the information referred to in
Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective
responsibilities of the controllers are determined by Union or Member State law to which the controllers are
subject to.

QUESTION: 225
What is the main task of the European Data Protection Board?
A. To assess adequacy of data protection in third countries
B. To ensure consistent application of the GDPR.
C. To proactively prevent disputes between national supervisory authorities.
D. To publish guidelines tor data subjects on how to property enforce their rights

ANSWER: B
EXPLANATION: The European Data Protection Board (EDPB) is an independent European body, which
contributes to the consistent application of data protection rules throughout the European Union, and promotes
cooperation between the EU's data protection authorities

QUESTION: 226
In relation to third countries and international organizations, which of the following shall, along with the
supervisory authorities, take appropriate steps to develop international cooperation mechanisms for the
enforcement of data protection legislation?
A. The European Parliament
B. The Council of the European Union.
C. The designated Data Protection Officers
D. The European Commission

ANSWER: D
EXPLANATION: According to Article 50(1) GDPR, in relation to third countries and international organizations,
the European Commission and supervisory authorities shall take appropriate steps to develop international
cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data.

CIPPE Question Bank V2.0
100% (1)
CIPPE Question Bank V2.0
137 pages
CIPPE SampleQuestions v5.0
100% (1)
CIPPE SampleQuestions v5.0
23 pages
Cipp-E - Sample Test 2-To Read
100% (3)
Cipp-E - Sample Test 2-To Read
12 pages
Cipp-E - Sample Test 4-To Read
No ratings yet
Cipp-E - Sample Test 4-To Read
21 pages
CIPT Questions Without Answer
No ratings yet
CIPT Questions Without Answer
102 pages
AAN Ukraine Presentation April24 - Press
No ratings yet
AAN Ukraine Presentation April24 - Press
10 pages
Kill Exams Q&A CIPP: E
No ratings yet
Kill Exams Q&A CIPP: E
8 pages
CIPP/E Module 1 and Chapter 1 Summary
No ratings yet
CIPP/E Module 1 and Chapter 1 Summary
7 pages
Privacy Program Management (Russell Densmore, CIPPE, CIPPUS, CIPM, CIPT Etc.)
No ratings yet
Privacy Program Management (Russell Densmore, CIPPE, CIPPUS, CIPM, CIPT Etc.)
298 pages
CIPPE SampleQuestions v6.1
No ratings yet
CIPPE SampleQuestions v6.1
18 pages
CIPT Dumps
100% (1)
CIPT Dumps
50 pages
Iapp Exambible Cipp
No ratings yet
Iapp Exambible Cipp
22 pages
CIPPE FSG November - 2018 - v1
No ratings yet
CIPPE FSG November - 2018 - v1
14 pages
CIPP E BoK 1.2.0
0% (1)
CIPP E BoK 1.2.0
3 pages
GDPR in Charts
50% (4)
GDPR in Charts
13 pages
CIPP E Outline
100% (4)
CIPP E Outline
55 pages
The Safer, Easier Way To Help You Pass Any IT Exams
100% (1)
The Safer, Easier Way To Help You Pass Any IT Exams
36 pages
GDPR Casebook 2018-2023
No ratings yet
GDPR Casebook 2018-2023
147 pages
Clamp Meter - Mastering The Art of Measurement - EN.r00
No ratings yet
Clamp Meter - Mastering The Art of Measurement - EN.r00
65 pages
GDPR Study Notes PDF
100% (2)
GDPR Study Notes PDF
80 pages
CIPP Asia BOK 1 0 0 Final PDF
100% (1)
CIPP Asia BOK 1 0 0 Final PDF
7 pages
Your Electronic Ticket Receipt
No ratings yet
Your Electronic Ticket Receipt
2 pages
GDPR Training
83% (6)
GDPR Training
60 pages
Iapp Testkings Cipp-E Dumps 2022-Jul-01 by Dick 126q Vce
100% (1)
Iapp Testkings Cipp-E Dumps 2022-Jul-01 by Dick 126q Vce
24 pages
Iapp Passguide Cipp-E Vce Download 2022-Apr-27 by Kelly 112q Vce
No ratings yet
Iapp Passguide Cipp-E Vce Download 2022-Apr-27 by Kelly 112q Vce
23 pages
Cipp e
No ratings yet
Cipp e
5 pages
3.1 CIPP E Case Studies Part 1
No ratings yet
3.1 CIPP E Case Studies Part 1
6 pages
Deed of Dissolution of Partnership
No ratings yet
Deed of Dissolution of Partnership
4 pages
What Is GDPR
No ratings yet
What Is GDPR
5 pages
GDPR Articles With Commentary & EU Case Laws PDF
100% (2)
GDPR Articles With Commentary & EU Case Laws PDF
359 pages
Facts
100% (1)
Facts
2 pages
IAPP Foundation Free Study Guide
50% (4)
IAPP Foundation Free Study Guide
13 pages
MINE LEGISLATION One Liner
100% (2)
MINE LEGISLATION One Liner
68 pages
Secretary's Certificate
No ratings yet
Secretary's Certificate
2 pages
Cippe FSG 3.15.16
67% (3)
Cippe FSG 3.15.16
14 pages
Article 14 of Constitution of India
No ratings yet
Article 14 of Constitution of India
3 pages
9-Reforming Business For The 21st Century - A Framework For The Future of The Corporation
No ratings yet
9-Reforming Business For The 21st Century - A Framework For The Future of The Corporation
33 pages
Common Law & The Human Rights Act 1998
100% (1)
Common Law & The Human Rights Act 1998
44 pages
CIPPE Outline (Unknown) (Z-Library)
100% (1)
CIPPE Outline (Unknown) (Z-Library)
109 pages
SSRN Id1316289
No ratings yet
SSRN Id1316289
27 pages
Rizal Surety Vs Ca
No ratings yet
Rizal Surety Vs Ca
7 pages
Financial Statement Presentation
No ratings yet
Financial Statement Presentation
2 pages
CIPP Glossary Tests.2.0.35 PDF
100% (2)
CIPP Glossary Tests.2.0.35 PDF
44 pages
Prime Global Cities Index q1 2022 9021
No ratings yet
Prime Global Cities Index q1 2022 9021
2 pages
GDPR Questionnaire
No ratings yet
GDPR Questionnaire
3 pages
Data Protection Officer Requirements by Country
100% (1)
Data Protection Officer Requirements by Country
8 pages
CIPP - E Authoritative Resource List 4.0 PDF
No ratings yet
CIPP - E Authoritative Resource List 4.0 PDF
3 pages
In The - Court of - County State of
No ratings yet
In The - Court of - County State of
8 pages
Brexit Data Protection Flowchart
No ratings yet
Brexit Data Protection Flowchart
20 pages
Data Protection Certification Mechanisms Study Publish
No ratings yet
Data Protection Certification Mechanisms Study Publish
449 pages
Sample CIPP E Self Led Course
100% (2)
Sample CIPP E Self Led Course
3 pages
Getting Ready For GDPR Compliance
No ratings yet
Getting Ready For GDPR Compliance
10 pages
IAPP Privacy Certification Candidate Handbook
100% (1)
IAPP Privacy Certification Candidate Handbook
54 pages
List of CIPPE Syllabus
No ratings yet
List of CIPPE Syllabus
5 pages
GDPRterritorial Scope of Application - FEDERICO MARENGO
No ratings yet
GDPRterritorial Scope of Application - FEDERICO MARENGO
1 page
Appointment Receipt
No ratings yet
Appointment Receipt
2 pages
of OPEC
No ratings yet
of OPEC
30 pages
CIPPE Online Training Course - International Data Transfers - Chapter 12
No ratings yet
CIPPE Online Training Course - International Data Transfers - Chapter 12
1 page
Dying Declaration by Karandeep Singh (Sinhmar)
No ratings yet
Dying Declaration by Karandeep Singh (Sinhmar)
7 pages
CIPT SampleQuestions v5.1
100% (1)
CIPT SampleQuestions v5.1
17 pages
CIPM Exam - Page 6 - ExamTopics
No ratings yet
CIPM Exam - Page 6 - ExamTopics
10 pages
GDPR Case Studies
No ratings yet
GDPR Case Studies
18 pages
Iapp Cipp e
No ratings yet
Iapp Cipp e
8 pages
Joint Tortfeasors
No ratings yet
Joint Tortfeasors
6 pages
CIPP:A Blueprint PDF
No ratings yet
CIPP:A Blueprint PDF
2 pages
CIPP Exam Preparation Tips 1725949523
No ratings yet
CIPP Exam Preparation Tips 1725949523
29 pages
Old Licence
No ratings yet
Old Licence
2 pages
Tata Group-Case Study
No ratings yet
Tata Group-Case Study
6 pages
The Land of God and Man: Confronting Our Sexual Culture
No ratings yet
The Land of God and Man: Confronting Our Sexual Culture
344 pages
India Pune Industrial h2 2023
No ratings yet
India Pune Industrial h2 2023
2 pages
Modern History Questions: REVOLT 1857
No ratings yet
Modern History Questions: REVOLT 1857
65 pages
Self Service Controller
100% (1)
Self Service Controller
4 pages
3.2 CIPP E Case Studies Part 2
No ratings yet
3.2 CIPP E Case Studies Part 2
6 pages
Hendrickson 2006
No ratings yet
Hendrickson 2006
17 pages
Iapp Cippe FSG Updated May 2024 v3 PDF
0% (3)
Iapp Cippe FSG Updated May 2024 v3 PDF
3 pages
IAPP CIPM Exam Questions
0% (1)
IAPP CIPM Exam Questions
3 pages
CIPP E Demo
No ratings yet
CIPP E Demo
6 pages
GreytHR Annexure
No ratings yet
GreytHR Annexure
2 pages
I TAX Exemption - Oct-2024 To Dec-2024
No ratings yet
I TAX Exemption - Oct-2024 To Dec-2024
2 pages
CIPP-E Exam Practice Questions
No ratings yet
CIPP-E Exam Practice Questions
20 pages
Why You Feel Stuck - and How To Get Mo5vated - Shannon Odell
No ratings yet
Why You Feel Stuck - and How To Get Mo5vated - Shannon Odell
3 pages
CFA Agreement
No ratings yet
CFA Agreement
30 pages
Ultimate GDPR Practitioner Guide (2nd Edition): Demystifying Privacy & Data Protection
From Everand
Ultimate GDPR Practitioner Guide (2nd Edition): Demystifying Privacy & Data Protection
Stephen R Massey
No ratings yet
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide
From Everand
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide
IT Governance Privacy Team
No ratings yet
IAPP CIPP/US Certification A Practical Study Guide to Master the Certified Information Privacy Professional Exam
From Everand
IAPP CIPP/US Certification A Practical Study Guide to Master the Certified Information Privacy Professional Exam
Jamie Murphy
No ratings yet
GDPR-standard data protection staff training: What employees & associates need to know by Dr Paweł Mielniczek
From Everand
GDPR-standard data protection staff training: What employees & associates need to know by Dr Paweł Mielniczek
Paweł Mielniczek
No ratings yet
EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide
From Everand
EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide
ITGP Privacy Team
5/5 (2)
Data Protection Officer
From Everand
Data Protection Officer
Sarah Taylor
No ratings yet
Intro to GDPR: A Plain English Guide to Compliance
From Everand
Intro to GDPR: A Plain English Guide to Compliance
Punit Bhatia
No ratings yet
A Last Minute Hands-on Guide to GDPR Readiness
From Everand
A Last Minute Hands-on Guide to GDPR Readiness
alasdair gilchrist
No ratings yet