Ch. 14 GDPR and International Privacy Quiz Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

The General Data Protection Regulation (GDPR) is based on the principles of proportionality and subsidiarity. What is the meaning of ‘proportionality’ in this context?

A) Personal data can only be processed in accordance with the purpose specification.
B) Personal data cannot be re-used without explicit and informed consent.
C) Personal data may only be processed in case there are no other means to achieve the purposes.
D) Personal data must be adequate, relevant and not excessive in relation to the purposes.

A

A) Incorrect. This is one of the legal limitations.
B) Incorrect. This is one of the legal limitations.
C) Incorrect. This is the definition of subsidiarity.
D) Correct. See:Course slide81 (day 1) Proportionality & subsidiarity checkand GDPR art. 35 (7).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The GDPR does not define privacy as a term but uses the concept implicitly throughout the text. What is a correct definition of privacy as implicitly used throughout the GDPR?

A) The fundamental right to protection of personal data, regardless of how it was obtained
B) The right not to be disturbed by uninvited people, nor being followed, spied on or monitored
C) The right to respect for one’s private and family life, home and personal correspondence
D) The right to freedom of opinion and expression and to seeking, receiving and imparting information

A

<a>physical privacy.
C) Correct. This is the definition as implicitly used throughout the GDPR. (Literature: A, Chapter 1)
D) Incorrect. This is a short version of Universal Declaration of Human Rights Article 19: freedom of opinion and expression.</a>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the relationship between data protection and privacy?

A) Data protection and privacy are synonyms and have the same meaning.
B) Data protection is the part of privacy that protects a person’s physical integrity.
C) Data protection refers to the measures needed to protect a person’s privacy.

A

A) Incorrect. Data protection helps to protect a person’s privacy, but the terms are not synonyms.
B) Incorrect. Data protection is not related to physical integrity or physical privacy.
C) Correct. Data protection are some of the measures needed to protect a person’s privacy. (Literature: A, Chapter 1)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Personal data as defined in the GDPR can be divided into several types. One of these types is described: Data that directly or indirectly reveal someone’s racial or ethnic background, political, philosophical, religious views, union affiliation and data related to health or sex life and sexual orientation. What type of personal data is this?

A) Direct personal data
B) Indirect personal data
C) Pseudonymized data
D) Special category personal data

A

A) Incorrect. Both direct and indirect data are described.
B) Incorrect. Both direct and indirect data are described.
C) Incorrect. Pseudonymized data cannot directly reveal information.
D) Correct. This is a definition of special category personal data. (Literature: A, Chapter 1; GDPR Article 4).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which data subject right is explicitly defined by the GDPR?

A) A copy of personal data must be provided in the format requested by the data subject.
B) Access to personal data must be provided free of charge for the data subject.
C) Personal data must always be changed at the request of the data subject.
D) Personal data must always be erased if the data subject requests this.

A

A) Incorrect. It must be provided in a structured, commonly used and machine-readable format, but not necessarily in any format the data subject specifies.
B) Correct. Data subjects have a right to a copy of their data free of charge. However, only the first copy has to be free. (Literature: A, Chapter 4)
C) Incorrect. Only erroneous data has to be rectified.
D) Incorrect. The right to erasure has several exceptions to this, for instance if the data are needed for the establishment, exercise or defense of legal claims.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Which role in data protection is defined here?

A) Controller
B) Processor
C) Supervisory authority
D) Third party

A

A) Correct. The controller determines the purpose and means of the processing. (Literature: A, Chapter 1; GDPR Article 4(7))
B) Incorrect. The controller determines the purpose of the processing, the processor works on the controller’s instructions.
C) Incorrect. The supervisory authority monitors and enforces compliance with the GDPR requirements.
D) Incorrect. A third party has no role in determining the purpose of the processing. Any party that determines the purpose would become a new controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?

A) Controller
B) Data protection officer (DPO)
C) Processor
D) Supervisory authority

A

A) Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature: A, Chapter 2)
B) Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.
C) Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though
D) Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center. By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year.Which of the basic principles for legitimate processing of personal data is violated in this scenario?

A) Personal data are collected for specified, explicit and legitimate purposes and not further processed.
B) Personal data are kept in a form permitting identification of data subjects for no longer than is necessary.
C) Personal data are processed in a manner that ensures appropriate security of the personal data.
D) Personal data are processed in a transparent manner in relation to the data subject.

A

A) Incorrect. The local government is entitled to collect data on the number of cars present.
B) Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner<br></br>once it has left the area. (Literature: A, Chapter 2; GDPR Article 5)
C) Incorrect. The scenario does not suggest inappropriate security.
D) Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The GDPR refers to the principles of proportionality and subsidiarity. What is the meaning of subsidiarity in this context?

A) Personal data can only be processed in accordance with the purpose specification.
B) Personal data cannot be reused without explicit and informed consent.
C) Personal data may only be processed when there are no other means to achieve the purposes.
D) Personal data must be adequate, relevant and not excessive in relation to the purposes.

A

A) Incorrect. This is one of the legal limitations.
B) Incorrect. This is one of the legal limitations.
C) Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7)
D) Incorrect. This is the definition of proportionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken.For which purpose is further processing not allowed?

A) For archiving purposes in the public interest
B) For direct marketing and commercial purposes
C) For generalized statistical purposes
D) For scientific or historical research purposes

A

A) Incorrect. With the safeguards in place, further processing is allowed for archiving purposes in the public interest.
B) Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)
C) Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.
D) Incorrect. With the safeguards in place, further processing is allowed for research purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

<p>A person is moving from city A to city B, within an EEA member state. In city A he was a patient of the local hospital A. In city B, he becomes a patient of hospital B. The patient has opted out of the national electronic patients file system.<br></br>The patient asks hospital A to forward his medical file directly to hospital B. According to the GDPR, what is allowed?<br></br><br></br>A) The hospital in A can send the data directly to hospital B, as requested by the patient<br></br>B) The hospital in A can send the file to hospital B, before the patient has requested it<br></br>C) The hospital in A can send the medical file to the data subject, but not to another hospital<br></br>D) The hospital in A cannot send the file, because there is no legitimate ground for processing</p>

A

<p>A) Correct. The right to portability allows this. (Literature: A, Chapter 3)<br></br>B) Incorrect. The hospital in B can only acquire the file from A with consent or if it is in the vital interest of the data subject and consent cannot be obtained.<br></br>C) Incorrect. The data subject can ask for the data to be sent directly.<br></br>D) Incorrect. A request, which implies consent, of the data subject is a sufficient legitimate ground.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction. However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either.What is this an example of?

A) Data access
B) Personal data breach
C) Security incident
D) Security vulnerability

A

A) Incorrect. The data have not been accessed.
B) Incorrect. No personal data has been processed unauthorized yet, so it is not a breach.
C) Incorrect. Processing has yet to begin, there is no reason to assume an incident has taken place.
D) Correct. Confidentiality of the data cannot be guaranteed if employees leave their workstation without locking the computer. (Literature: A, Chapter 2; GDPR Article 5(1)(f))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

”The controller shall implement appropriate technical and organizational measures for ensuring that (.) only personal data which are necessary for each specific purpose of the processing are processed.” Which term in the GDPR is defined here?

A) Compliance
B) Data protection by design and by default
C) Embedded data protection

A

A) Incorrect. Compliance means meeting rules or standards.
B) Correct. By default, the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. Data protection by design refers to processing that includes appropriate measures to implement data protection principles. (Literature: A, Chapter 8; GDPR Article 25)
C) Incorrect. Embedded data protection is the result of data protection by design.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

According to the GDPR, what is a task of a supervisory authority?

A) Implement technical and organizational measures to ensure compliance
B) Investigate security breaches of corporate information
C) Monitor and enforce the application of the GDPR

A

A) Incorrect. This is the task of the controller.
B) Incorrect. Only breaches of personal data are a concern of the supervisory authority.
C) Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

According to the GDPR, what is a description of binding corporate rules (BCR)

A) A decision on the safety of transferring personal data to a non-EEA country
B) A measure to compensate for the lack of personal data protection in a third country
C) A set of agreements covering personal data transfers between non-EEA countries
D) A set of approved rules on personal data protection used by a group of enterprises

A

A) Incorrect. This refers to adequacy decisions.
B) Incorrect. This refers to appropriate safeguards.
C) Incorrect. The GDPR does not cover agreements between non-EEA countries.
D) Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A controller wants to outsource processing of personal data to a processor. What must be done before outsourcing?

A) The controller must ask the supervisory authority for permission to outsource the processing of the data.
B) The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations.
C) The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data.
D) The processor must show the controller that all demands agreed in the service level agreement (SLA) are met.

A

C) The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data.

A) Incorrect. The controller does not have to ask the supervisory authority for permission for each instance of outsourcing.
B) Incorrect. The supervisory authority is not a legal counsel and will not check contracts for compliance.
C) Correct. There must be a written contract guaranteeing the confidentiality of the data, listing the purposes and means of processing as defined by the controller and specifying that processor will only process on instruction of the controller. Both parties must sign this contract. (Literature: A, Chapter 8; GDPR Article 28(3))
D) Incorrect. An SLA is not enough as it will focus on operations, not necessarily on purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

<p>What is a description of data protection by design and by default?<br></br><br></br>A) An approach that implements data protection from the start<br></br>B) An indication of timeframes if processing relates to erasure<br></br>C) Data may only be collected for explicit and legitimate purposes<br></br>D) Not holding more data than is strictly required for processing</p>

A

<p>A) Correct. This is a correct description. (Literature: A, Chapter 8; GDPR Article 25(1))<br></br>B) Incorrect. This is a description of a data protection impact assessment (DPIA).<br></br>C) Incorrect. This is a description of measures taken to comply with the principle of purpose limitation.<br></br>D) Incorrect. This is a description of procedures to comply with the principle of data minimization.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

<p>According to the GDPR, when is a data protection impact assessment (DPIA) obligatory?<br></br><br></br>A) When a project includes technologies or processes that use personal data<br></br>B) When processing is likely to result in a high risk to the rights of data subjects<br></br>C) When similar processing operations with comparable risks are repeated</p>

A

<p>A) Incorrect. Only for technologies and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.<br></br>B) Correct. For processing operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35)<br></br>C) Incorrect. This is a case in which a DPIA does not need to be repeated.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

<p>What is the main use of a persistent cookie?<br></br><br></br>A) To ensure that the user’s personal data are stored securely on the server<br></br>B) To personalize the user’s experience of the website during a next visit<br></br>C) To record every keystroke made by a computer user to find out passwords<br></br>D) To save the pages a user has bookmarked in the user’s browser history</p>

A

<p>A) Incorrect. Cookies are not used to store data on the server.<br></br>B) Correct. This is the main purpose of a persistent cookie. (Literature: A, Chapter 8)<br></br>C) Incorrect. Cookies are not malicious by nature, but the mechanism can be exploited maliciously.<br></br>D) Incorrect. The bookmarks and browser history are saved, but not in a cookie.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter. What right do all data subjects have in this scenario?

A) The right to compensation
B) The right to object to profiling
C) The right to rectification

A

A) Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.
B) Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)
C) Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The processing of personal data has to meet general rules on quality. What is one of these rules defined by the GDPR?

A) The data processed must be archived.
B) The data processed must be encrypted.
C) The data processed must be indexed.
D) The data processed must be relevant.

A

A) Incorrect. No such requirement is defined by the GDPR.
B) Incorrect. No such requirement is defined by the GDPR.
C) Incorrect. No such requirement is defined by the GDPR.
D) Correct. This requirement is defined by the GDPR. See: Course slides 66 (day 1) General rules on quality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Every time personal data is processed, proportionality and subsidiarity must be checked. What is the requirement for the personal data being processed?<p></p><p><br></br>A) It must be limited always to what is necessary to achieve the defined goals and must be limited to the least “intrusive” data.<br></br>B) It must be handled by the smallest number of employees possible and they must work for the Controller or an affiliate.<br></br>C) It must be limited to a predefined storage size and the system used must be financed by the Controller.<br></br>D) It must be used for the smallest number of purposes possible and this may not be done outside the premises of the Processor.</p>

A

<p>A) Correct. These terms mean you collect no more data than needed to achieve the predefined goal(s), and you always try to use data that has the least impact on the privacy of the Data Subject. See: Course slide 81 (day 1) Proportionality & subsidiarity check.<br></br>B) Incorrect. The number of employees or their affiliation to some subsidiary has nothing to do with these terms.<br></br>C) Incorrect. Storage size and who finances the systems used has nothing to do with these terms.<br></br>D) Incorrect. As long as the Data Subject gives consent the number of goals is not explicitly restricted, nor is the location.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

<p>"The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed." Which term in the General Data Protection Regulation (GDPR) is defined?<br></br><br></br>A) Compliance<br></br>B) Data protection by default<br></br>C) Data protection by design<br></br>D) Embedded protection</p>

A

<p>A) Incorrect. Compliance is the state or fact of according with - or meeting rules or standards.<br></br>B) Correct. By default the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. See: GDPR art. 20 (2).<br></br>C) Incorrect. Data protection by design refers to a design that includes appropriate measures to implement data protection principles.<br></br>D) Incorrect. Embedded data protection is the result of data protection by design.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

<p>What is the term used in the General Data Protection Regulation (GDPR) for unauthorized disclosure of, or access to, personal data?<br></br><br></br>A) confidentiality violation<br></br>B) data breach<br></br>C) incident<br></br>D) security incident</p>

A

<p>A) Incorrect. GDPR uses the term data breach. Not every data breach is a confidentiality violation.<br></br>B) Correct. See: GDPR article 4 (12)<br></br>C) Incorrect. GDPR uses the term data breach. Not every incident is a data breach.<br></br>D) Incorrect. GDPR uses the term data breach. Not every security incident is a data breach.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

<p>It has been ascertained that a data breach of sensitive personal data occurred. To whom must this ultimately be reported according to the General Data Protection Regulation (GDPR)?<br></br><br></br>A) the Data Protection Authority (DPA)<br></br>B) the Data Protection Officer (DPO)<br></br>C) the manager of the department<br></br>D) the police</p>

A

<p>A) Correct. Data breaches must be reported to the DPA if they might have a significant impact on the security of the data subject or their personal data. See Course slide 98 (day 1) Notification by telecom organisations.<br></br>B) Incorrect. Even though it might be reported to an internal DPO, in the end it must be reported to the DPA.<br></br>C) Incorrect. Even though it might be reported to the manager, in the end it must be reported to the DPA.<br></br>D) Incorrect. Data breaches don't necessarily have to be reported to the police, but in the end they must<br></br>be reported to the DPA.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

<p>While performing a backup, a data server disk crashes. Both the data and the backup are lost. The disk contained personal data but no sensitive data.<br></br>What kind of incident is this?<br></br><br></br>A) data breach<br></br>B) security breach<br></br>C) security incident</p>

A

<p>A) Correct. Personal data irretrievably lost is regarded as unauthorized processing, which makes it a data breach. See: GDPR Chapter I, Article 4, Definitions.<br></br>B) Incorrect. Personal data irretrievably lost is regarded as unauthorized processing, which makes it a data breach.<br></br>C) Incorrect. Personal data irretrievably lost is regarded as unauthorized processing, which makes it a data breach.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

<p>Someone working for a trade union took a draft newsletter home to finish it there for the members. The USB stick containing the draft and the mailing list, was lost.<br></br>Apart from the privacy authority, to whom should this data breach also be reported?<br></br><br></br>A) all members on the mailing list<br></br>B) the board of the trade union<br></br>C) the police</p>

A

<p>A) Correct. See: Course slide 98 & 102 (day 1) Notification of the Data Subject.<br></br>B) Incorrect. This is sensitive data, so the loss must be reported to both the privacy authority and the data subjects.<br></br>C) Incorrect. This is sensitive data, so the loss must be reported to both the privacy authority and the data subjects.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

<p>A social services organization plans to design a new database to administrate its clients and the care they need. In order to request permission from the Data Protection Authority (DPA), what is one of the first important steps to be taken?<br></br><br></br>A) Collect data about the clients and the amount and kind of care needed and provided.<br></br>B) Conduct a Privacy Impact Assessment (PIA) to assess the risks of the intended processing.<br></br>C) Obtain consent of the clients for the intended processing of their personal data.</p>

A

<p>A) Incorrect. Collecting medical personal data is by definition 'processing sensitive data'. Permission of the DPA and the data subject is needed beforehand.<br></br>B) Correct. When asking consent to process data, the data subject 'should be made aware of risks, rules, safeguards and rights ...' See: GDPR recital (39). A PIA is needed to assess those risks and safeguards.<br></br>C) Incorrect. When asking consent to process data, the data subject 'should be made aware of risks, rules, safeguards and rights ...'. A PIA is needed first to assess those risks and safeguards.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

<p>In which case should the Data Subjects always be notified of a data breach?<br></br>A) The breach did not lead to a significant probability for detrimental consequences for the protection of personal data.<br></br>B) The personal data was processed at a facility of the Processor that is not located within the borders of the EU.<br></br>C) The personal data was processed by a party that did not yet sign a binding contract with the Controller.<br></br>D) The system on which the personal data was processed was attacked causing damage to its storage devices.</p>

A

<p>A) Incorrect. If there is no significant negative (potential) impact on the Data Subjects, there is no obligation to notify them of the breach. You should still consider it though.<br></br>B) Incorrect. The location where the data is processed is of no significance to the obligation to notify Data Subjects of data breaches.<br></br>C) Correct. Any situation where personal data is processed by another party than the Controller without a binding contract guaranteeing compliance to the GDPR is always considered a data breach. See: Course slide 103 (day 1) Notification of the Data Subject.<br></br>D) Incorrect. Damage to storage devices will make access to the data difficult or even impossible, but does not imply illegal processing. Processing might even become impossible altogether in this particular example.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

<p>A Dutch controller has contracted the processing of sensitive personal data out to a processor in a North African country, without consulting the Data Protection Authority (DPA). Is was discovered and he was penalized by the DPA. Six months later the DPA finds out that the controller is guilty of the same transgression again for another processing operation.<br></br>What is the maximum penalty the DPA can impose in this case?<br></br><br></br>A) € 750.000<br></br>B) €1.230.000<br></br>C) 2% of the company's worldwide turnover with a minimum of € 10.000.000<br></br>D) 4% of the company's worldwide turnover with a minimum of € 20.000.000</p>

A

<p>A) Incorrect. According to GDPR art. 83.3, the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000.<br></br>B) Incorrect. According to GDPR art. 83.3, the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000.<br></br>C) Incorrect. According to GDPR art. 83.3, the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000<br></br>D) Correct. This is the maximum for a violation. See: GDPR art. 83.3.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

<p>1 / 40<br></br>A company implements a privacy policy, which helps to demonstrate compliance with the GDPR. It is recommended that this policy is made publicly accessible for several reasons.<br></br>What is the main reason for making the privacy policy publicly available?<br></br><br></br>A) To allow customers and partners to verify which personal data the organization must process<br></br>B) To allow customers, partners and the supervisory authority to assess how personal data are handled<br></br>C) To communicate the result of data protection impact assessments (DPIAs) performed in the organization<br></br>D) To inform the supervisory authority of how the organization will respond after personal data breaches</p>

A

<p>A) Incorrect. Publicly available privacy policies do not establish which personal data must be processed<br></br>by the organization. They provide transparency to the personal data processing.<br></br>B) Correct. A publicly available policy supports transparency, allows customers and partners to assess it, and provides a clear statement that supervisory authorities and other regulators can assess the organization against. (Literature: A, Chapter 16)<br></br>C) Incorrect. The result of the DPIAs are intended to be documented for internal consultation and should not be included in the privacy policy.<br></br>D) Incorrect. How the organization responds to a data breach is part of the data breach response plan, which is an internal document and not required to be publicly available.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

<p>According to the GDPR, what information is not a mandatory part of a privacy policy?<br></br><br></br>A) Information about international transfers of personal data to a third country<br></br>B) Information about the identity and contact details of the controller<br></br>C) Information relating to data security measures in the organization<br></br>D) Information relating to retention periods and data subject's rights</p>

A

<p>A) Incorrect. This is mandatory.<br></br>B) Incorrect. This is mandatory.<br></br>C) Correct. This is part of an information security policy. (Literature: A, Chapter 16; GDPR Article 13)<br></br>D) Incorrect. This is mandatory.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

<p>The GDPR embraces the principles of privacy by design and by default. The application of these principles includes the implementation of both technical and organizational measures. Why are organizational measures necessary?<br></br><br></br>A) Because privacy by design and by default requires that the organization restricts personal data access to controllers only<br></br>B) Because protecting the rights of data subjects, requires organizational processes that technical measures cannot cover<br></br>C) Because the designation of a data protection officer (DPO), where mandatory, is regarded as an organizational measure</p>

A

<p>A) Incorrect. Organizational measures are meant to protect the data subjects’ rights and consist of procedures for fair and transparent processing.<br></br>B) Correct. Some internal processes and procedures must be addressed by organizational measures to guarantee that the data subjects rights can be fully exercised in compliance with the GDPR. Technical tools and systems complement the organizational measures, but do not substitute them. (Literature: A, Chapter 9)<br></br>C) Incorrect. Organizational measures are meant to protect the data subjects’ rights and consist of procedures for fair and transparent processing.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

<p>A company is setting up a project to create a new, free service for consumers.<br></br>According to privacy by design, what is the most desirable time to discuss data protection?<br></br><br></br>A) From the start of the project<br></br>B) During the implementation phase<br></br>C) When the project nears completion</p>

A

<p>A) Correct. Privacy and data protection must be promoted from the start of the project in line with the privacy by design principle. (Literature: A, Chapter 5; F)<br></br>B) Incorrect. Discussing data protection in the implementation phase is too late.<br></br>C) Incorrect. Discussing data protection in the project completion phase is too late.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

<p>Setting up a data protection management system (DPMS) is done in phases. The first phase in building a DPMS is called Data Protection and Privacy Preparation. A step in this phase is performing initial data audits and assessments.<br></br>Why must these data audits and assessments be done in the Data Protection and Privacy Preparation phase of building a DPMS?<br></br><br></br>A) Because the data audits and assessments analyze the awareness and readiness of staff regarding data protection and privacy<br></br>B) Because the data audits and assessments identify risks regarding compliance, people and other related risks for the organization<br></br>C) Because the data audits and assessments provide a clear overview of the current personal data flows inside and outside the organization<br></br>D) Because the data audits and assessments provide an inventory of where different types of personal data are located within the organization</p>

A

<p>A) Incorrect. Data audits and assessments are not intended to provide an analysis of the awareness and readiness of staff regarding data protection and privacy.<br></br>B) Correct. Data audits and assessments in this phase identify risks regarding compliance, individuals and other related risks. The outcome provides a first insight into what should be covered by the DPMS. (Literature: B, Chapter 2.2.1)<br></br>C) Incorrect. Data audits and assessments are not used to provide insight into data flows inside and outside the organization.<br></br>D) Incorrect. Data audits and assessments are not used to provide an inventory of where types of data are located within the organization, but to identify risks.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

<p>An organization wants to comply with the GDPR. They are building a data protection management system (DPMS). The build of the DPMS is in the first phase: Data Protection and Privacy Preparation.<br></br>The data protection officer (DPO) has drafted a governance structure, established data flows, created a personal data inventory and established all three elements of the data protection and privacy program (step 7).<br></br>What is the last step of the first phase of building a DPMS?<br></br><br></br>A) Carry out an analysis of the communication and training aspects required for your company's staff<br></br>regarding data protection and privacy<br></br>B) Define clear roles and responsibilities in job descriptions and related documents, such as employment contracts of privacy managers and of a DPO<br></br>C) Draft a comprehensive guide to all members responsible for data protection and privacy to achieve compliance with relevant legislation<br></br>D) Draft and submit a report to the organization’s board about the steps taken so far, recommending action plans and a budget</p>

A

<p>A) Incorrect. This is one of the three elements of the data protection and privacy program that was already established in step 7.<br></br>B) Incorrect. This step is taken much later in phase 2, step 4.<br></br>C) Incorrect. This is the first step to be taken in phase 2.<br></br>D) Correct. This is the last step to be taken in the first phase. (Literature: B, Chapter 2.2.1)</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

<p>A company wants to build a data protection management system (DPMS). The first phase in building a DPMS is Data Protection and Privacy Preparation.<br></br>Which step does not belong to this first phase?<br></br><br></br>A) Develop draft implementation action plans<br></br>B) Establish a data government organization<br></br>C) Maintain data privacy documentation<br></br>D) Perform initial data audits and assessments</p>

A

<p>A) Incorrect. This is a step that belongs to the first phase.<br></br>B) Incorrect. This is a step that belongs to the first phase.<br></br>C) Correct. This step belongs to phase 4: 'Data Protection and Privacy Governance'. The first phase consists of the following steps: conduct privacy analysis, collect privacy laws, analyze privacy impact, perform initial data audits and assessments, establish data governance organization, establish data flows and personal data inventory, establish data protection and privacy program, develop data protection and privacy implementation action plans. (Literature: B, Chapter 2.2)<br></br>D) Incorrect. This is a step that belongs to the first phase.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

<p>A company wants to set up a data protection management system (DPMS). The second phase in building a DPMS is called Data Protection and Privacy Organization. One of the steps in phase 2 has the following objective:<br></br>to integrate data protection and privacy thinking across the whole company and across all its functions<br></br>Which step in phase 2 has this objective?<br></br>A) Audit the measures and controls for privacy and data protection to identify gaps and errors<br></br>B) Implement and operate the data protection and privacy computerized systems<br></br>C) Inform employees about the status of the privacy and data protection program<br></br>D) Maintain regular mutual communication for data protection and privacy issues</p>

A

<p>A) Incorrect. This audit can only take place after the full implementation. It is the outcome of phase 5.<br></br>B) Incorrect. This is a technical measure to ensure data integrity, not a cultural measure to integrate data<br></br>protection and privacy thinking across the whole company and all its functions.<br></br>C) Incorrect. Although it is important for employees to know the status of the program, this type of communication is not enough to engage everyone and effectively integrate data protection and privacy thinking across the whole company and all its functions.<br></br>D) Correct. Constant regular communication is a must to effectively implement the company’s data protection and privacy strategy in all company operations. (Literature: B, Chapter 2.2.2.)</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

<p>A data protection officer (DPO) realizes the importance of maintaining regular communication with all other individuals who have been appointed and are accountable or responsible for data protection and privacy. This group of individuals should work towards an organization-wide outcome, regarding data protection and privacy.<br></br>Which outcome benefits an organization the most?<br></br><br></br>A) Creating a system where all data protection and privacy issues must be referred to and subsequently solved by the DPO<br></br>B) Developing divergent perspectives on data protection and privacy while outsourcing or transferring data in the organization<br></br>C) Instilling a collaborative and proactive approach to embedding data protection and privacy into all parts of the organization<br></br>D) Raising awareness that outsourcing data protection and privacy creates shared responsibility and accountability for compliance</p>

A

<p>A) Incorrect. The company would benefit more if the regular communication instilled a culture change concerning data protection and privacy among all employees rather than leave all data protection and privacy problems solely to the DPO.<br></br>B) Incorrect. The company would benefit more if the regular communication created a common perspective, aligned to the privacy mission statement, instead of divergent perspectives on data protection and privacy across the company.<br></br>C) Correct. The regular communication with all individuals who are accountable and responsible for privacy and data protection within the organization allows them to better understand each department’s scenarios and challenges and to exchange ideas and suggestions on how to embed privacy and data protection into all systems, services, products and ongoing projects. (Literature: B, Chapter 2.2.2)<br></br>D) Incorrect. The company would benefit more if the regular communication made all employees understand that they have responsibility and accountability for data protection and privacy of the information under their care, even when the activities or tasks are outsourced.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

<p>If an organization wants to develop, implement and manage a data protection management system (DPMS) this is done in several phases. The implementation of the DPMS has five phases describing: preparation, organization, development and implementation, governance, and evaluation and improvement. What are the phases of implementing a DPMS comparable to?<br></br><br></br>A) A continual improvement process comparable to the PDCA-cycle<br></br>B) A guide to the implementation of privacy governance<br></br>C) An inventory of the data regulations as a preparation for the DPMS<br></br>D) The impact of privacy regulations, rules and standards</p>

A

<p>A) Correct. The phases of implementing a DPMS describe a continual improvement process very close to the PDCA cycle. (Literature: A, Chapter 1; B, Chapter 2)<br></br>B) Incorrect. This refers to phase 4 of the setting up of a DPMS.<br></br>C) Incorrect. This is describing only a part of the second step of phase 1 (the preparation phase).<br></br>D) Incorrect. This is describing only step 3 of phase 1.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

<p>A key element of the GDPR is that an organization must demonstrate compliance. The implementation of a data protection management system (DPMS) can help demonstrate compliance.<br></br>Which phase of the implementation of a DPMS demonstrates compliance with the GDPR the most?<br></br><br></br>A) Phase 1, the organization prepares for privacy and data protection implementation<br></br>B) Phase 2, the organizational structures and mechanisms for privacy are established<br></br>C) Phase 3, data protection and privacy measures are developed and implemented<br></br>D) Phase 4, privacy governance mechanisms for the organization are established</p>

A

<p>A) Incorrect. This phase prepares for the implementation but does not include any form of compliance yet.<br></br>B) Incorrect. This phase is the base for implementation of privacy requirements but does not demonstrate compliance itself.<br></br>C) Correct. The implementation of procedures, policies and controls demonstrates compliance. (Literature: B, Chapter 2.2; GDPR Article 24(1))<br></br>D) Incorrect. This phase is important to stay compliant but requires implementation first.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

<p>A data protection officer (DPO) develops and implements a data protection and privacy management system (DPMS). The implementation is in phase 3: Data Protection and Privacy Development and Implementation.<br></br>What must be done first in phase 3?<br></br><br></br>A) Analyze and define the company’s needs and requirements for data protection and privacy<br></br>B) Investigate employees’ knowledge and understanding of data protection and privacy concepts<br></br>C) Research the industry's best practices and adapt them to the company’s needs and requirements<br></br>D) Understand global data protection and privacy law and determine the relevance of that information</p>

A

<p>A) Correct. The first action is to understand and define the company’s needs and requirements, to establish the goals and objectives for the data protection and privacy strategies, plans and policies. (Literature: B, Chapter 2.2)<br></br>B) Incorrect. This investigation must be done after analyzing and defining the company's needs and requirements.<br></br>C) Incorrect. Industry best practices can only be adapted to the company after analyzing and defining the company's needs and requirements.<br></br>D) Incorrect. Relevance of information can only be determined after analyzing and defining the company's needs and requirements.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

<p>A personal data breach response plan describes the following actions:<br></br>- An external provider responds to the breach, provides public relations services and assists in minimizing the damage<br></br>- The data protection officer (DPO) asks the supervisory authority for support<br></br>- The processor notifies the business partners and data subjects about the data breach and asks their support<br></br>Who is most likely to minimize the impact for third parties and data subjects?<br></br><br></br>A) The external provider<br></br>B) The DPO<br></br>C) The processor</p>

A

<p>A) Correct. The external party provides services that are of help to quickly respond to a personal data breach and help minimize the impact for third parties and data subjects. (Literature: B, Chapter 2)<br></br>B) Incorrect. The DPO must provide information and should be of assistance to the supervisory authority, not the other way around.<br></br>C) Incorrect. There is no legal obligation for processors to notify business partners about a data breach. Also, the notification to data subjects should only be made (1) when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, and (2) by the controller, and not the processor.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

<p>Three health institutes work together to develop a mobile app for monitoring patients. Medical staff add their personal data and qualifications to the app, and patients add their personal data including medical data.<br></br>The health institutes appoint a single data protection officer (DPO). To run a pilot, they need to put the app in app stores. After the app is in app stores, they test the security of the new app. As a safety precaution, the description states that the app is in a pilot phase. Only a few test data subjects download the app, but they use it for real and enter actual data.<br></br>The test shows that the app is not secure at all. It can easily be hacked. A hacker could change health data of the patients and collect and use the data in unauthorized ways<br></br>According to the GDPR, what must the DPO do?<br></br><br></br>A) The DPO does not have to act, because the app is in a pilot phase and only a small number of patients is participating.<br></br>B) The DPO does not have to act, because the impact of the vulnerabilities cannot be qualified as high risk during a pilot phase.<br></br>C) The DPO must inform the patients and supervisory authority because the app results in a high risk to the patients’ rights and freedoms.<br></br>D) The DPO must notify the supervisory authority and make sure the app’s security measures are adjusted to the required safety standards.</p>

A

<p>A) Incorrect. The number of data subjects is irrelevant. The qualification of high risk to the rights and freedoms of natural persons determines the actions to be taken.<br></br>B) Incorrect. A pilot phase is no excuse for allowing data to be at risk.<br></br>C) Correct. The controller has taken insufficient measures to ensure the security of the data. The risk is to special category personal data. Therefore, both the supervisory authority and the data subjects should be notified. (Literature: A, Chapter 14; GDPR, Article 33(1) and Article 34(1))<br></br>D) Incorrect. Both these actions are wise to take. However, the GDPR specifies the notification to the data subjects and does not specify that the security measures should be adjusted.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

<p>Compliance with the GDPR can be helped by implementing a systematic incident management regime.<br></br>What is an outline of an effective incident management process?<br></br><br></br>A) Recognize that an incident has occurred, respond to the immediate and long-term concerns, and track the incident to ensure that the steps taken were effective<br></br>B) Recognize that an incident has occurred and report the incident to the data protection officer (DPO) to review the data flows and improve the security policies<br></br>C) Track all incidents that involve personal data, perform a data protection impact assessment (DPIA) to analyze the risks and set up an improvement plan<br></br>D) Track all instances of personal data processing to retrieve data after an incident more easily and ensure that response activities can be reduced to minimize costs.</p>

A

<p>A) Correct. This is an outline of an incident management process. (Literature: A, Chapter 14)<br></br>B) Incorrect. Incidents must be reported to responsible staff. The DPO does not have to review data<br></br>flows after every incident.<br></br>C) Incorrect. DPIAs do not have to be done after every incident.<br></br>D) Incorrect. It is ineffective to track all instances of personal data processing. This answer also misses the steps to respond to an incident and ensure the steps taken were effective.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

<p>The CEO has asked the privacy team to evaluate the organization in terms of data protection and privacy performance. A benchmark would be a proper way to objectively determine how well the organization is performing.<br></br>What does the privacy benchmark not cover?<br></br><br></br>A) A survey focused on the organization’s customer satisfaction regarding privacy<br></br>B) Comparisons across business units or departments regarding privacy compliance<br></br>C) The current privacy performance of the organization compared to that of one year ago<br></br>D) The privacy performance of the organization measured against that of similar entities in the industry</p>

A

<p>A) Correct. A benchmark compares the current situation of the company with that of previous periods or the industry. In this case no comparison is made. Furthermore, not all customers are aware of privacy best practices, or have been exposed to the various privacy practices of your organization. (Literature: B, Chapter 2.2.5)<br></br>B) Incorrect. The privacy benchmark does help to make comparisons across business units or departments regarding privacy compliance.<br></br>C) Incorrect. Privacy benchmarking can also be used as a sort of self-assessment to compare the results against previous assessments to identify improvements or areas that may have deteriorated.<br></br>D) Incorrect. Benchmarking is an objective methodology to compare the organization’s privacy performance with similar entities in the industry and with best practices.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

<p>An organization wants to use artificial intelligence (AI) and deep learning algorithms in the human resources (HR) department to look at employment relations, create employee capability profiles and define bonuses for individual targets.<br></br>What must be done first and before implementing this new type of personal data processing?<br></br><br></br>A) Conduct a data protection impact assessment (DPIA)<br></br>B) Conduct a privacy assessment of the HR department<br></br>C) Report the processing to the supervisory authority</p>

A

<p>A) Correct. The processing involves a new technology for profiling and is likely to result in a high risk to the rights and freedoms of natural persons, as it can significantly affect their behavior, activities and rewards at work. (Literature: A, Chapter 5; GDPR Article 35)<br></br>B) Incorrect. Assessment of business unit compliance with the privacy policies is done on a periodic, unannounced basis, not when implementing a new type of processing.<br></br>C) Incorrect. This is done after conducting the DPIA and only under certain conditions.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

<p>According to the GDPR, which activity is always a responsibility of the controller?<br></br><br></br>A) Being responsible for performing a data protection impact assessment (DPIA)<br></br>B) Contracting a security company for the protection of personal data in transit<br></br>C) Implementing a new method to collect personal data from the customers<br></br>D) Maintaining records of the processing activities carried out by the processor</p>

A

<p>A) Correct. Responsibility for DPIAs falls to the controller and should not be outsourced to a data processor. (Literature: A, Chapter 12; GDPR Article 35)<br></br>B) Incorrect. This could be the responsibility of the processor, if prior written authorization exists.<br></br>C) Incorrect. This could be the responsibility of the processor, if prior written authorization exists.<br></br>D) Incorrect. This element is the responsibility of the processor. The controller maintains a record of the processing activities they control.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

<p>A hospital outsources its printing of patient invoices to a printing company. The printing company also prints invoices for other organizations.<br></br>Due to an error, names and addresses were mixed up when they were sorted at the printing company, and a number of invoices were sent to the wrong patients.<br></br>The hospital had carefully analyzed their own processes. The hospital had a robust verification process in place and has contractual agreements with the printing company.<br></br>Why will the hospital be held responsible by the supervisory authority?<br></br><br></br>A) Because the contract determines this<br></br>B) Because the hospital is the controller<br></br>C) Because the mix-up is between patients<br></br>D) Because the verification has gone wrong</p>

A

<p>A) Incorrect. The hospital is accountable because, as the controller, it is subject to the accountability principle, determined by the GDPR.<br></br>B) Correct. The GDPR states that “The controller shall be responsible [...], paragraph 1(‘accountability’)” for the lawfulness of processing. The controller will be held responsible and accountable by the supervisory authority, whatever contract may be in place between controller and processor. The controller should only use processors that provide sufficient guarantees that they implement appropriate technical and organizational measures. (Literature: A, Chapter 12; GDPR, article 5 (2))<br></br>C) Incorrect. It does not matter that the data subjects all belong to the same controller. Who is the controller is relevant here.<br></br>D) Incorrect. There is nothing to indicate the verification went wrong. The supervisory authority will always hold the controller responsible.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

<p>When a controller and a processor sign a contract for the processing of personal data, they both have specific responsibilities. Some of these responsibilities are prescribed by the GDPR and others can be arranged in the contract. According to the GDPR, when does the processor always need written authorization by the controller?<br></br><br></br>A) When the processor contracts a company to protect data during transfers<br></br>B) When the processor contracts a third party to process personal data<br></br>C) When the processor implements a new method to collect personal data<br></br>D) When the processor implements a new method to delete personal data</p>

A

<p>A) Incorrect. This element is or might be at the determination of the processor according to the contract, as it is not clearly defined by the GDPR.<br></br>B) Correct. This engaging of another processor cannot be done without the prior specific or general written authorization of the controller. (Literature: A, Chapter 12; GDPR Article 28(2))<br></br>C) Incorrect. This element is or might be at the determination of the processor according to the contract, as it is not clearly defined by the GDPR.<br></br>D) Incorrect. This element is or might be at the determination of the processor according to the contract, as it is not clearly defined by the GDPR.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

<p>Who has the legal obligation to keep records of processing activities?<br></br><br></br>A) The chief information officer<br></br>B) The chief privacy officer<br></br>C) The controller and processor<br></br>D) The data protection officer (DPO)</p>

A

<p>A) Incorrect. The chief information officer has the overall responsibility for information technology and information management.<br></br>B) Incorrect. The chief privacy officer should create engagement for GDPR compliance within the organization.<br></br>C) Correct. Both controller and processor are required to keep a record of all processing activities. (Literature: A, Chapter 12; GDPR Article 30)<br></br>D) Incorrect. Although in practice it is the DPO that creates inventories, holds a register of processing activities and has been given the responsibility to maintain these records, this is done under the legal obligation of the controller or processor.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

<p>A North American organization based in the European Economic Area (EEA) processes personal data of natural persons. It processes ethnicity data on a large scale. According to the GDPR, an organization is required to appoint a data protection officer (DPO) in three specific cases. In this case, for what reason is it mandatory for this organization to appoint a DPO?<br></br><br></br>A) Foreigners’ personal data are processed<br></br>B) Personal data are processed in a third country<br></br>C) Personal data of minorities are processed<br></br>D) Special categories of personal data are processed on a large scale</p>

A

<p>A) Incorrect. This is not one of the three basic conditions specified in the GDPR.<br></br>B) Incorrect. This is not one of the three basic conditions specified in the GDPR.<br></br>C) Incorrect. This is not one of the three basic conditions specified in the GDPR.<br></br>D) Correct. This is one of the cases specified in the GDPR, when the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9. Ethnic or racial data is specifically mentioned in Article 9 of the GDPR. The other two conditions are: (1) processing is carried out by a public authority or body, except for courts acting in their judicial capacity, (2) processing that requires regular and systematic monitoring of data subjects on a large scale. These three basic conditions apply to both controllers and processors. (Literature: A, Chapter 2; GDPR Article 9 and Article 37)</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

<p>A data protection officer (DPO) works for the Ministry of Transportation, which is a national department. A new project is announced to monitor people's driving behavior on the national highways. The Ministry wants to use an intelligent video analysis system to single out cars and automatically recognize license plates.<br></br>The state secretary is in a hurry to get the project started and worries that privacy issues might cause unwelcome delays.<br></br>What should the DPO do?<br></br><br></br>A) Ask the state secretary to contact the supervisory authority, because this is clearly outside the DPO’s scope<br></br>B) Assure the state secretary that a data protection impact assessment (DPIA) is unnecessary, if data subjects are informed of the data processing<br></br>C) Inform the state secretary that a DPIA is mandatory for the large-scale monitoring of a public space<br></br>D) Urge the state secretary to reconsider the project because mass surveillance data processing is prohibited</p>

A

<p>A) Incorrect. A DPO should be sufficiently qualified to discuss this.<br></br>B) Incorrect. Informing data subjects will not exempt an organization from the responsibility to do a DPIA.<br></br>C) Correct. The project demands systematic monitoring of a publicly accessible area on a large scale, and this is one of the three mandatory scenarios for performing a DPIA. (Literature: A, Chapter 5; GDPR Article 35(3)(c))<br></br>D) Incorrect. Monitoring, surveillance and profiling are not prohibited, as long as people’s rights and freedoms are sufficiently protected.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

<p>Data protection officers (DPOs) are bound by secrecy or confidentiality concerning the performance of their tasks.<br></br>In relation to which party is the DPO exempted from this secrecy or confidentiality to seek advice?<br></br><br></br>A) The board of directors of the company<br></br>B) The data protection and privacy network members team<br></br>C) The information security officer (ISO)<br></br>D) The supervisory authority</p>

A

<p>A) Incorrect. Being easily accessible does not mean that the DPO should ask for advice of board members. The DPO should fulfill an independent role.<br></br>B) Incorrect. Being easily accessible does not mean that the DPO should ask for advice of the data protection and privacy network members' team.<br></br>C) Incorrect. Being easily accessible does not mean that the DPO should ask for advice of the ISO.<br></br>D) Correct. The obligation of secrecy and or confidentiality does not prohibit the DPO from contacting and seeking advice from the supervisory authority. (Literature: A, Chapter 2; GDPR Article 36 and Article 39(1)(e))</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

<p>A data protection impact assessment (DPIA) is a tool to identify data protection risks, especially the ones which are likely to highly affect the rights and freedoms of natural persons. Why can the DPIA be seen as part of an organization's wider risk management?<br></br><br></br>A) Because the DPIA assesses all security risks of the organization under review and replaces any other risk assessment or risk management<br></br>B) Because the DPIA assesses risks by the likelihood and severity of the risk, similar to other well-defined components of risk management<br></br>C) Because the DPIA is mandatory for each project, according to the GDPR, which reduces all other legal requirements for risk management</p>

A

<p>A) Incorrect. A DPIA only focuses on personal data protection and privacy risks.<br></br>B) Correct. This is the link between DPIA and risk management. (Literature: A, Chapter 2; GDPR Recital 90)<br></br>C) Incorrect. A DPIA is not always required and it does not diminish needs for other risk management.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

<p>According to the GDPR, what should always be part of a data protection impact assessment (DPIA)?<br></br><br></br>A) Develop a subject access request procedure to ensure compliance with data subjects’ rights<br></br>B) Identify the personal data that are processed and the intended purposes of the processing<br></br>C) Notify the data subjects that an assessment will take place and request their explicit consent<br></br>D) Set up an incident response plan and define appropriate safeguards to avoid data breaches</p>

A

<p>A) Incorrect. This is a possible measure, based on the outcome of a DPIA.<br></br>B) Correct. Every DPIA should start with a description of the intended processing and the purposes of the<br></br>processing. (Literature: A, Chapter 8; GDPR, Article 35(7)(a))<br></br>C) Incorrect. Consent is not required to do a DPIA.<br></br>D) Incorrect. This is a possible measure, based on the outcome of a DPIA.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

<p>An organization develops a new product to find underperforming employees. They search their internet history and analyze work behavior using artificial intelligence (AI).<br></br>Although the software engineers do not fully understand the algorithm, management decides to fire the bottom 10% employees.<br></br>The data protection officer (DPO) is concerned about the impact of this product and informs the board that a data protection impact assessment (DPIA) is required.<br></br>What is not part of the reason why a DPIA is mandatory?<br></br><br></br>A) The automation of the personal data processing<br></br>B) The evaluation that may affect the data subjects significantly<br></br>C) The processing of special categories of personal data<br></br>D) The systematic monitoring of personal aspects of natural persons</p>

A

<p>A) Incorrect. This is a reason for a DPIA being mandatory.<br></br>B) Incorrect. This is a reason for a DPIA being mandatory.<br></br>C) Correct. While the system will be collecting personal data, these data are not considered special categories of data. (Literature: A, Chapter 8; GDPR Article 35)<br></br>D) Incorrect. This is a reason for a DPIA being mandatory.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

<p>What is not an outcome of a data protection impact assessment (DPIA)?<br></br><br></br>A) A log of access to confidential data, with an automated authorization check<br></br>B) A record of data subjects’ views on the intended processing operations<br></br>C) A systematic description of the intended processing operations<br></br>D) An assessment of risks to the rights and freedoms of data subjects</p>

A

<p>A) Correct. This is not an outcome of a DPIA, but is an ongoing activity performed by information security. (Literature: A, Chapter 8 and Chapter 3; GDPR Article 35)<br></br>B) Incorrect. This is a possible outcome of the DPIA.<br></br>C) Incorrect. This is a possible outcome of the DPIA.<br></br>D) Incorrect. This is a possible outcome of the DPIA.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

<p>The GDPR details what the output of a data protection impact assessment (DPIA) must contain at a minimum.<br></br>What is not mandatory in a DPIA?<br></br><br></br>A) A description of the processing and its purposes<br></br>B) An assessment of the necessity and proportionality of the processing operations in relation to the purposes<br></br>C) An assessment of the risks to the rights and freedoms of data subjects<br></br>D) The advice of the supervisory authority</p>

A

<p>A) Incorrect. This is a mandatory part of the DPIA.<br></br>B) Incorrect. This is a mandatory part of the DPIA.<br></br>C) Incorrect. This is a mandatory part of the DPIA.<br></br>D) Correct. It is not always mandatory to consult with the supervisory authority, and it is not mandatory to include a log of the advice in the DPIA. (Literature: A, Chapter 5; GDPR Article 35(7) and Article 36(1))</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

<p>A data protection impact assessment (DPIA) shows that the intended processing involves collecting more data on individual customers than is necessary to achieve the intended purpose.<br></br>According to the GDPR, what is the most appropriate response?<br></br><br></br>A) Anonymize the data as soon as possible<br></br>B) Introduce a training and awareness program<br></br>C) Limit the period of time for which the data is stored<br></br>D) Reduce the amount of data collected</p>

A

<p>A) Incorrect. This is a mitigating risk measure, but the unnecessary data are not allowed to be processed in the first place.<br></br>B) Incorrect. This is a mitigating risk measure, but the unnecessary data are not allowed to be processed in the first place.<br></br>C) Incorrect. This is a mitigating risk measure, but the unnecessary data are not allowed to be processed in the first place<br></br>D) Correct. This implements the principle of data minimization and reduces the risks for the data subjects. (Literature: A, Chapter 8; GDPR 5(1))</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

<p>What is best done first, before starting a data protection impact assessment (DPIA)?<br></br><br></br>A) Determining measures to address the identified risks<br></br>B) Determining whether there is a need for a DPIA<br></br>C) Identifying the risks to the rights and freedoms of data subjects</p>

A

<p>A) Incorrect. This is part of a DPIA and done after determining the need for one.<br></br>B) Correct. The organization needs to determine whether the law requires a DPIA or if the needs of the<br></br>organization demand one. (Literature: A, Chapter 5; GDPR Article 35(7))<br></br>C) Incorrect. This is part of a DPIA and done after determining the need for one.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

<p>A company performs a data protection impact assessment (DPIA). Why is data mapping useful for a DPIA?<br></br><br></br>A) It assesses all organizational risks to privacy.<br></br>B) It helps to gain an overview of the personal data in use.<br></br>C) It helps to inform all relevant parties.</p>

A

<p>A) Incorrect. Data mapping does not assess risks.<br></br>B) Correct. Data mapping identifies data in use. Mapped data flows help to identify potential risks that<br></br>must be assessed. (Literature: A, Chapter 7)<br></br>C) Incorrect. Data mapping is not used to inform parties.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

<p>A privacy expert is hired by an organization. They wish to outsource part of their data processing activities. The expert performs a data protection impact assessment (DPIA) on the processing that involves a data processor.<br></br>One of the main steps of a DPIA requires the controller to provide all the input and does not require the processor to be involved.<br></br>Which step is that?<br></br><br></br>A) Assessment of the necessity and proportionality of the processing<br></br>B) Assessment of the risks to the rights and freedoms of data subjects<br></br>C) Mitigating measures to address the risks, including safeguards<br></br>D) Systematic descriptions of the intended processing operations</p>

A

<p>A) Correct. This is the responsibility of the controller and does not involve the processor. (Literature: A, Chapter 12)<br></br>B) Incorrect. Input is needed from the processor on potential risks.<br></br>C) Incorrect. Input is needed on the mitigating measures taken by the processor.<br></br>D) Incorrect. To make a full description, input from the processor is needed.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

<p>A large company is struggling financially. The board wants employees to work more efficiently. The board starts an experiment in which the internet activities of the employees are monitored. The data are analyzed to see where more efficiency can be achieved. People categorized as inefficient might be dismissed. Why must a data protection impact assessment (DPIA) be done before using the new procedure?<br></br><br></br>A) Because a large company has many employees. Therefore, the processing will be large scale.<br></br>B) Because it is an experiment. A DPIA is required for new and experimental processing activities.<br></br>C) Because it is systematic processing. The decisions might significantly affect the employees.</p>

A

<p>A) Incorrect. The large scale may be of influence but is not a criterion by its own. Large scale monitoring in a public space would be a criterion. However, the company is not a public space.<br></br>B) Incorrect. It is irrelevant whether it concerns an experiment or an ordinary processing activity.<br></br>C) Correct. This is defined as one of the three cases in which a DPIA is mandatory. (Literature: A, Chapter<br></br>5; GDPR Article 35(3)(b))</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

<p>An organization plans to make automated decisions on its clients, based on profiling. Which part of the data protection impact assessment (DPIA) needs extra attention?<br></br><br></br>A) The assessment of the need to perform a DPIA in relation to this processing activity<br></br>B) The measures to protect the rights of the data subject that will be implemented<br></br>C) The measures to secure the personal data from being requested by data subjects<br></br>D) The procedures for data erasure after a data subject asks for their data to be removed</p>

A

<p>A) Incorrect. For processing activities involving automated decision making, including profiling, a DPIA is always required.<br></br>B) Correct. The risks automated decision-making brings with it need special attention. How to mitigate the risk should be carefully described. A mitigation could be to allow human intervention. (Literature: A, Chapter 5; GDPR Article 35)<br></br>C) Incorrect. Data need to be secured in general, but data subjects have the right of access.<br></br>D) Incorrect. This is part of a DPIA, but it is not most appropriate for specific attention if automated decisions are made.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

<p>The GDPR states that organizations must seek ways to prevent personal data breaches. Therefore, it is important to quickly recognize incidents that can be classified as personal data breaches. According to the GDPR, which incident is not a personal data breach?<br></br><br></br>A) A patient is expecting a package containing medical equipment, but it is delivered to the wrong address.<br></br>B) An employee working at a mental health clinic has misplaced a set of patient files that cannot be retraced.<br></br>C) The accidental destruction of personal data by a fire or an earthquake in a data warehouse<br></br>D) The unauthorized disclosure of a company’s confidential financial data regarding an intended<br></br>acquisition</p>

A

<p>A) Incorrect. This is a personal data breach involving special category personal data.<br></br>B) Incorrect. The accidental loss of any personal data, and especially special category personal data, is also considered a personal data breach.<br></br>C) Incorrect. Even if the incident is caused by a natural disaster or force majeure, this must be considered a personal data breach.<br></br>D) Correct. This is a data breach, but no personal data are compromised. It is not a personal data breach. (Literature: A, Chapter 3; GDPR Article 4(12))</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

<p>In which situation is it required to report a personal data breach to the supervisory authority?<br></br><br></br>A) If the organization cannot resolve the incident within a timeframe of 72 hours after it has occurred<br></br>B) In any situation where there is a security threat to the rights and freedom of natural persons<br></br>C) Only if the incident is recognized as a personal data breach within a timeframe of 72 hours<br></br>D) When a personal data breach is likely to result in a risk to the rights and freedom of natural persons</p>

A

<p>A) Incorrect. The timeframe in which the incident is resolved is unimportant.<br></br>B) Incorrect. A threat is not enough. A notification is only mandatory when a personal data breach<br></br>occurred, that is likely to result in a risk to the rights and freedoms of natural persons.<br></br>C) Incorrect. The incident management process may be unable to identify the incident within 72 hours. The GDPR states that personal data breaches must be reported "without undue delay and where feasible not later than 72 hours after having become aware of it".<br></br>D) Correct. Notification to the supervisory authority is mandatory for incidents involving personal data, that are likely to result in a risk to the rights and freedoms of natural persons. (Literature: A, Chapter 14; GDPR Article 33(1))</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

<p>The head of the Human Resources (HR) department has lost a memory stick containing the personal information of 35 employees. The memory stick is protected by strong encryption. The HR department also has this personal information stored in a backup device. According to the GDPR, is it mandatory to report this personal data breach to the supervisory authority?<br></br><br></br>A) Yes, because all security incidents must be reported to the supervisory authority.<br></br>B) Yes, because reporting it enables the supervisory authority to inform the employees.<br></br>C) No, because it is not a legitimate interest of the company to report data breaches.<br></br>D) No, because this personal data breach creates no risk to the data subjects’ rights.</p>

A

<p>A) Incorrect. Only personal data breaches that result in a high risk to the rights of data subject must be reported. Although it can be good practice to report all personal data breaches to avoid breaking the law, this is not mandatory.<br></br>B) Incorrect. The data subjects’ rights are not at risk, so they do not need to be informed. It is not the supervisory authority’s task to inform the data subjects.<br></br>C) Incorrect. The legitimate interest of the company is a legal ground for processing. It does not relate to personal data breaches and how these must be reported.<br></br>D) Correct. The strong encryption and backup are enough to guarantee the confidentiality and availability of the personal data. Therefore, this data breach is unlikely to result in a risk to the rights and freedoms of natural persons. It is not mandatory to report this data breach to the supervisory authority. (Literature: A, Chapter 14; GDPR Article 33(1))</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

<p>According to the GDPR, in which situation must a personal data breach be reported to the data subjects affected?<br></br><br></br>A) When a personal data breach is likely to result in a high risk to the rights and freedoms of the data subject<br></br>B) When the supervisory authority has determined that consent was the only legal ground for processing<br></br>C) When there is a security incident that is labelled as a personal data breach within 72 hours<br></br>D) When personal data is compromised by external factors such as hackers or other cyber criminals</p>

A

<p>A) Correct. Data subjects should be informed if the personal data breach poses a high risk to their rights and freedoms. (Literature: A, Chapter 14; GDPR Article 34(1))<br></br>B) Incorrect. Only personal data breaches that pose a high risk must also be reported to the data subjects.<br></br>C) Incorrect. The 72 hours are the timeframe within which the personal data breach should be reported to the supervisory authority. Not all personal data breaches must be reported to the data subjects.<br></br>D) Incorrect. Notification does not depend on the underlying cause of the personal data breach.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

<p>In the best practice incident response process the phases prepare, respond and follow-up are defined. For each phase, documentation is essential. In the respond phase, it is important to gather and preserve evidence to show why an incident happened and why the organization was not able to prevent the incident. What must be gathered and preserved?<br></br><br></br>A) Audit control plans<br></br>B) Data protection impact assessments (DPIAs)<br></br>C) Evidence to provide a clear picture<br></br>D) System recovery plans</p>

A

<p>A) Incorrect. An audit control plan is not documented in the incident response process.<br></br>B) Incorrect. A DPIA is not documented in the incident response process.<br></br>C) Correct. Throughout the incident response process, evidence should be gathered and preserved to provide a clear picture of what happened and why the organization was unable to prevent the incident. (Literature: A, Chapter 14)<br></br>D) Incorrect. A system recovery plan is not documented in the incident response process.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

<p>Data Protection Authorities are assigned a number of responsibilities aimed at making sure Data Protection Regulations are complied with. What is one of those responsibilities?<br></br><br></br>A) Assessing codes of conduct for specific sectors relating to the processing of personal data.<br></br>B) Defining a minimum set of measures to be taken to protect personal data.<br></br>C) Investigation of all data breaches of which they have been notified.<br></br>D) Review of contracts and BCRs on compliance with the regulations.</p>

A

<p>A) Correct. One of the responsibilities of DPAs is to provide general advice on how to comply with the regulations. See: Course slides 46 (day 2A) Responsibilities (powers) and tasks of the AP .<br></br>B) Incorrect. A DPA will give general advice on what they consider an appropriate level of security. They will however not tell you what specific measures you need to take to achieve that level. Even if they want to they would not be able to, because there simply is no one-size-fits-all solution.<br></br>C) Incorrect. DPAs don’t have the obligation, nor the capacity to investigate all breaches they know of. But they will investigate those they deem significant or noteworthy.<br></br>D) Incorrect. A DPA is not a legal council. They don’t review contracts or Binding Corporate Rules. However in the course of an investigation they might take a look at a specific contract or set of BCRs.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

<p>A religious association wants to share personal data with their religious authority in a non-European country in order to comply with a legal request from the government concerned.<br></br>Which regulation in the General Data Protection Regulation (GDPR) applies in this case?<br></br><br></br>A) As an exception, processing of sensitive data revealing religious beliefs is permitted to a religious association.<br></br>B) It is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country.<br></br>C) Processing is lawful provided specific and unambiguous consent of the data subject has been acquired.<br></br>D) Processing personal data outside the EU is permitted using the model contract clauses designed by the EU Commission.</p>

A

<p>A) Incorrect. Religious associations are permitted to process personal data relating to their former and current members, but it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country.<br></br>B) Correct. See: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-4-cross-border-data- transfers; GDPR art. 48.<br></br>C) Incorrect. It is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country, not even with consent of the data subject.<br></br>D) Incorrect. Processing of sensitive data outside EU can be lawful, but not in response to a request from a third country government.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

<p>On July 12, 2016 the European Commission implemented a ruling regarding transfer of personal data with the USA (EU-US Privacy Shield). In terms of the General Data Protection Regulation (GDPR), what kind of a ruling is this?<br></br><br></br>A) an adequacy decision<br></br>B) an exception decree<br></br>C) a standard binding contract<br></br>D) a treaty superseding the GDPR</p>

A

<p>A) Correct. The ruling is an adequacy decision in accordance with the GDPR regarding processing in 3rd countries. See: GDPR recitals 104 and 106.<br></br>B) Incorrect. An exception is about transfers essential to respond to terrorist offences or serious crimes (art. 11)<br></br>C) Incorrect. The ruling is an adequacy decision in accordance with the GDPR regarding processing in 3rd countries.<br></br>D) Incorrect. The ruling is an adequacy decision in accordance with the GDPR regarding processing in 3rd countries.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

<p>Binding Corporate Rules are a means for organizations to ease their administrative burden when complying with the GDPR. How do these rules help them?<br></br><br></br>A) They allow them to have underpinning contracts with all parties involved abroad.<br></br>B) They allow them to let third parties outside the European Economic Area process personal data.<br></br>C) They avoid the need to approach each Data Protection Authority in the EU separately.<br></br>D) They prevent them from having to ask a DPA for permission for the processing of the data once their BCR are accepted.</p>

A

<p>C) They avoid the need to approach each Data Protection Authority in the EU separately.<br></br><br></br>A) Incorrect. BCRs are drafted so organizations do not have to use written underpinning contracts for each affiliate separately.<br></br>B) Incorrect. BCRs are valid within an organization and all its affiliates only. They do not apply to other parties.<br></br>C) Correct. Once BCRs are approved by one DPA inside the EU you don’t have to ask the other DPAs inside the EU to approve them anymore. See: Course slides 79-81(day 2A) Binding Corporate Rules.<br></br>D) Incorrect. BCR must be authorized by a DPA too.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

In case a contractor contracts out the processing of personal data, the parties will enter into a written contract. This contract sets out subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects. What other aspect must be governed by this written contract?

A) the accountability of the processor
B) the data breach notification obligation
C) the obligation that processors must co-operate with the supervisory authority
D) the obligations and rights of the controller

A

<p>A) Incorrect. This is a direct obligation of the GDPR to processors.<br></br>B) Incorrect. This is a direct obligation of the GDPR to processors.<br></br>C) Incorrect. This is a direct obligation of the GDPR to processors.<br></br>D) Correct. This is a direct obligation of the GDPR to processors. Source: GDPR art. 22 (3).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What should be done so that a Controller is able to outsource the processing of personal data to a Processor?

A) The Controller must ask the Data Protection Authority (DPA) for permission to outsource the processing of the data.
B) The Controller must ask the DPA if the agreed upon written contract is compliant with the regulations.
C) The Controller and Processor must draft and sign a written contract guaranteeing the confidentiality of the data.
D) The Processor must show the Controller all demands agreed upon in the Service Level Agreement (SLA) are met.

A

C) The Controller and Processor must draft and sign a written contract guaranteeing the confidentiality of the data.

A) Incorrect. You don’t have to ask the DPA for permission for each instance of outsourcing.
B) Incorrect. The DPA is not a legal council and will not check contracts for compliance.
C) Correct. There must be a written contract guaranteeing the confidentiality of the data in which the Controller defines the goals and means of processing. Both parties must sign this contract. See: Course slide 17-26 (Day 2A) Written contract between the Controller and the Processor.
D) Incorrect. An SLA is not enough as it will focus on operations, not necessarily on defining goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Data protection by design, as described in GDPR article 25, is based on seven basic principles. One of these is usually called ‘Functionality – Positive-Sum, not Zero-Sum’. What is the essence of this principle?

A) Applied security standards must assure the confidentiality, integrity and availability of personal data throughout its lifecycle.
B) If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives.
C) When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired.
D) Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks.

A

A) Incorrect. This is an aspect of End-to-End Security – Lifecycle Protection, one of the other six basic principles.
B) Incorrect. Privacy by Design rejects the approach that Privacy has to compete with other legitimate interests, design objectives, and technical capabilities. All objects need to be accommodated in a positive-sum “win-win” manner.
C) Correct, this is the essence. See: Cavoukian, Ann. 2011. Privacy by design, the 7 principles. (https://www.iab.org/wp-content/IAB uploads/2011/03/fred_carter.pdf)
D) Incorrect. This is an aspect of ‘privacy embedded into design’, one of the other six basic principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Often staff that works with personal data consider privacy and information security as separate issues. Why is this wrong?

A) Privacy can’t be guaranteed without identifying, implementing, and monitoring proper information security measures
B) The Data Protection Authority (DPA) expects the roles of Data Protection Officer and Information Security Officer to be integrated.
C) The regulations identify specific information security measures that must be taken before handling personal data is allowed

A

A) Privacy can’t be guaranteed without identifying, implementing, and monitoring proper information security measures.

A) Correct. Privacy and Data Protection are about guaranteeing confidentiality of personal data a.o. This requires the implementation of security measures. See: Course slide 22 (Day 2B) Reliability requirements.
B) Incorrect. The DPA does not expect these roles to be integrated at all.
C) Incorrect. The regulations specify goals that must be met, but no specific measures that must be taken.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

One of the objectives of a Privacy Impact Assessment (PIA) is to ‘strengthen the confidence of customers or citizens in the way personal data is processed and privacy is respected’. How can a PIA ‘strengthen the confidence’?

A) The organization minimizes the risk of costly adjustments in processes or redesign of systems in a later stage.
B) The organization prevents non-compliance to the GDPR and minimizes the risk of fines.
C) The organization proves that it takes privacy seriously and aims for compliance to the GDPR.

A

A) Incorrect. This aspect may strengthen the confidence of management, but not customers or citizens.
B) Incorrect. Preventing fines may strengthen the confidence of management, but not customers or citizens.
C) Correct. See: Course slide 20 (day 2B) Most important objectives of a DPIA 2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What is the purpose of a privacy audit by the supervisory authority?

A) To fulfill the obligation of the GDPR to implement appropriate technical and organizational measures for data protection.
B) To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR.
C) To advice the controller on the mitigation of privacy risks in order to protect the controller from liability claims for non-compliance to the GDPR.

A

A) Incorrect. The audit is not the implementation of the measures, but an assessment of their effectiveness.
B) Correct. According to GDPR art 57.1(a) this is an important task of the DPA as supervising authority.
C) Incorrect. The DPA has the task to monitor compliance and to advice on enhancements, but its purpose is not to protect the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What best describes the principle of data minimization?

A) Care must be taken to collect as little data as possible in order to protect the privacy and interests of the data subjects.
B) Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
C) In order to keep data manageable it must be stored in such a manner that it requires a minimal amount of storage.
D) The number of items that is collected per data subject may not exceed the upper limit stated by the Data Protection Authority (DPA).

A

A) Incorrect. As a matter of fact the GDPR states the data collected must be adequate, implying it does not have to be the absolute minimum.
B) Correct. This is the very definition of data minimization (article 5.1.c). It is aimed at making sure only the data needed to achieve the defined goals are collected. See: Course slide 4 (day 2B) Data life cycle management and data minimisation.
C) Incorrect. Storage size has nothing to do with this principle.
D) Incorrect. DPAs do not set an upper limit on the number of items collected as long as they are limited to those needed to achieve the defined goals.<p></p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

<p><strong>Session cookies are one of the most common types of cookie. What does a session cookie do?</strong><br></br><br></br>A) It contains information on what you are doing, for instance the products you select in a webshop before you actually order.<br></br>B) It reveals your browse history, so other websites can find out which websites you have visited before you arrived there.<br></br>C) It stores your browse history, so you can trace where you have been on the net and revisit those site(s) if you want.<br></br>D) It collects your personal data, so the website can greet you by name and reuse your settings when you return.</p>

A

<p><strong>A) It contains information on what you are doing, for instance the products you select in a webshop before you actually order.</strong><br></br><br></br>A) Correct. A session cookie is kept in memory to save information on the session. It is erased when you close the session. See: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm<br></br>B) Incorrect. A session cookie is erased when you close the session, so it cannot be used in a next session.<br></br>C) Incorrect. A session cookie is erased when you close the session, so it cannot be used in a next session.<br></br>D) Incorrect. A session cookie is erased when you close the session, so it cannot be used in a next session.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Sometimes websites track visitors and store their information for marketing purposes. Is the website obliged to notify the visitor that their information is being used for marketing purposes?

A) Yes
B) No

A

A) Yes`

A) Correct. The website has the obligation to notify the visitor that their information is being used for marketing purposes. They have the right to object to processing of personal data concerning him or her for marketing purposes. See: Course slide 37 (day 2B) Resistance direct marketing.
B) Incorrect. The website has the obligation to notify the visitor that their information is being used for marketing purposes. They have the right to object to processing of personal data concerning him or her for marketing purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

A company can present itself as an expert in a specific area of expertise making use of social media. What is the best way to demonstrate expertise in a specific field?

A) By posting information about the company on Social Media.
B) By actively answering questions on Social Media about their product.
C) By posting about how the product of the competitor is inferior to that of the company.
D) By posting about new products the company is developing.

A

A) Incorrect. Just posting information about the company does not make you an expert in a field.
B) Correct. Answering (and actively answering) questions about a specific product on social media could make your company an expert. See: https://blog.kissmetrics.com/social-media-after-sale/
C) Incorrect. This is just bragging about how good your product is (and maybe it is not).
D) Incorrect. This is just showing that you as a company are developing new products and yes, it can help improve sales but it does not make the company an expert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

A security breach has occurred in an information system that also holds personal data. What is the first thing the controller must do?

A) Ascertain whether the breach may have resulted in loss or unlawful processing of personal data.
B) Assess the risk of adverse effects to the data subjects using a privacy impact assessment (PIA).
C) Assess whether personal data of a sensitive nature has or may have been unlawfully processed.
D) Report the breach immediately with the relevant Data Protection Authority.

A

A) Correct. The data breach notification obligation as laid down in the Dutch Data Protection Act. See: Course slide 85 and further (day 2B) Personal data breach notification obligation.
B) Incorrect. A PIA is conducted when designing personal data processing operations.
C) Incorrect. The controller must first ascertain whether the incident is a data breach that needs to be reported.
D) Incorrect. The controller must first ascertain whether the incident is a data breach that needs to be reported.<p></p>

86
Q

The word ‘privacy’ is not mentioned in the General Data Protection Regulation (GDPR).How is ‘privacy’ related to ‘data protection’?

A) Data protection is a set of rules and regulations on processing personal data. Privacy is the result of Data Protection.
B) Privacy is the right to be protected from interference in personal matters. Data protection is the means to implement that protection.
C) Privacy is the right to keep personal matters secret. Data protection is the right to keep personal data secret.
D) The terms ‘privacy’ and ‘data protection’ are interchangeable. There is no real difference in meaning.

A

A) Incorrect. Privacy is a right, data protection is the means to ensure it.
B) Correct. See: UN Universal Declaration of Human Rights 1984. art. 12. And http://gilc.org/privacy/survey/intro.html.
C) Incorrect. Privacy is a right, data protection is the means to ensure it.
D) Incorrect. Privacy is a right, data protection is the means to ensure it.

87
Q

Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR), repeals an earlier EU Directive.Which directive is being repealed (replaced)?

A) Directive 2002/58/EC of 12 July 2002
B) Directive 2006/24/EC of 15 March 2006
C) Directive 95/46/EC of 24 October 1995
D) Directive 97/66/EC of 15 December 1997

A

A) Incorrect. Directive 2002/58/EC amends some parts of Directive 97/66/EC.
B) Incorrect. This directive is about the retention of data collected for instance by internet providers.
C) Correct. This replacement is mentioned in the (sub)title of the regulation. Source: GDPR.
D) Incorrect. This Directive complements directive 95/46/EC to ensure an equivalent level of protection of fundamental rights and freedoms in the member states.

88
Q

Which right of Data Subjects is explicitly defined by the GDPR?

A) A copy of personal data must be provided in the format requested by the Data Subject.
B) Access to personal data without any cost for the Data Subject.
C) Personal data must be always changed at the request of the Data Subject.
D) Personal data must be erased at all times if a Data Subject requests this.

A

A) Incorrect. It has to be provided in a structured, commonly used and machine-readable format, but not necessarily in any format the Data Subject specifies.
B) Correct. However only the first copy has to be provided free of cost. See Course slide 32 (day 2A) Rights Data Subject
C) Incorrect. Only erroneous data has to be rectified.
D) Incorrect. Article 17 gives some exceptions to this like when the data is needed for the establishment, exercise or defense of legal claims.

89
Q

The GDPR distinguishes ‘sensitive personal data’ as a special category of personal data.What is an example of such data?

A) an appointment in a hospital with a medical specialist
B) an International Bank Account Number (IBAN)
C) subscription to a scientific journal for politics
D) the membership of a branch association

A

A) Correct. An appointment with a medical specialist is ‘personal data concerning health’. See GDPR art. 9.1.
B) Incorrect. An IBAN is data uniquely related to a person, i.e. personal data. But not sensitive personal data according to GDPR art. 9.
C) Incorrect. A scientific journal for politics is not ‘personal data revealing political opinions, religious or philosophical beliefs’ and as such not sensitive personal data according to GDPR art. 9.
D) Incorrect. Only trade union membership and other personal data ‘revealing (…) political opinions, religious or philosophical beliefs’ is sensitive personal data according to GDPR art. 9.

90
Q

Which role in data protection determines the purposes and means of the processing of personal data?

A) Controller
B) Data Protection Officer
C) Processor

A

A) Correct. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. See: Course slide 5 (day 2A) Controller.
B) Incorrect. The GDPR defines the DPO as “A person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.”
C) Incorrect. The Processor is the person or organization that processes personal data, but not necessarily the one who determines the why and how.

91
Q

Which information is regarded as personal data according to the General Data Protection Regulation (GDPR)?

A) information about a person, which might harm the privacy of that person, even when untrue
B) any information regarding an identifiable natural person
C) information, regarding an identifiable natural person, which is digitalized

A

A) Incorrect. Any statement about an identifiable natural person is personal data according to the GDPR.
B) Correct. See: GDPR art.4(1).
C) Incorrect. Any statement about an identifiable natural person is personal data according to the GDPR.

92
Q

A data privacy notice given directly to the data subject MUST contain which of the following elements?

A. Details of the media on which the data is going to be stored.
B. A description of the implemented technical and organisational measures.
C. The period for which the personal data will be stored.
D. The name of the individual carrying out the data entry.

A

C. The period for which the personal data will be stored.

93
Q

A religious association wishes to share personal data with its religious authority in a non-European country, to comply with a legal request from the government concerned. Which regulation in the GDPR applies in this case?

A As an exception, the processing of sensitive data revealing religious beliefs is permitted to a religious association.
B It is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country.
C It is not lawful to process sensitive personal data, unless it is specific and unambiguous, and consent of the data subject has been acquired.
D Processing personal data outside the EU is permitted using the model contract clauses designed by the EU Commission.

A

B It is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country.

94
Q

The data controller shall implement appropriate technical and organizational measures for ensuring that only personal data which are necessary for each specific purpose of the processing are processed’. Which term, as defined in the GDPR, does this describe?

A Compliance.
B Data protection by design.
C Data protection by default.
D Data protection by design and by default.

A

D Data protection by design and by default.

95
Q

What is the definition of personal data in the GDPR?

A Any information relating to an identified or identifiable natural person.
B Any information that European citizens would like to protect.
C Data that directly or indirectly reveals someone’s racial or ethnic background.
D Preservation of confidentiality, integrity and availability of information.

A

A Any information relating to an identified or identifiable natural person.

96
Q

Breach of the GDPR’s data transfer provisions is identified in the band of non- compliance issues, for which the maximum level of fines can be imposed. What is the maximum fine?

A Up to €20,000,000 or 4% of the company’s worldwide annual turnover.
B 2% of the company’s worldwide turnover with a minimum of €10,000,000.
C €10,000,000.
D €750,000.

A

A Up to €20,000,000 or 4% of the company’s worldwide annual turnover.

97
Q

When is consent NOT required in order to process personal data of the data subject?

A When the data controller exercises its right to process personal data under ‘legitimate interest’ and provides a Data Privacy Notice to the data subject.
B When the data subject has waived its right to consent.
C When processing of personal data is carried outside the EU.
D When it is adequate, relevant and limited to what is necessary.

A

A When the data controller exercises its right to process personal data under ‘legitimate interest’ and provides a Data Privacy Notice to the data subject.

98
Q

Which of the following is NOT an appropriate way of sharing sensitive personal data?

A Mailing a letter.
B Encrypted email.
C Secure file transfer.
D Encrypted hard drive.

A

A Mailing a letter.

99
Q

Which of the following is a special personal data type?

A Name.
B Email.
C Biometric data.
D GPS location data.

A

C Biometric data

100
Q

Which of the following is NOT applicable to international data transfers?

A. Fair and Accurate Credit Transactions Act (FACTA)
B. General Data Protection Regulation (GDPR)
C. The CLOUD Act
D. The Personal Information Protection and Electronic Documents Act (PIPEDA)

A

A. Fair and Accurate Credit Transactions Act (FACTA)

101
Q

Which of the following is NOT an appropriate way for an international organization operating in the US to be compliant w/ European Privacy regulations?

A. Model contracts
B. European ownership of the organization
C. Binding Corporate Rules (BCR)
D. Keeping all data in the country of origin

A

B. European ownership of the organization very important to know as a privacy professional the EU laws are something to look into (as will the laws in other countries that follow be).

In the US there are still restrictions on processing data on European citizens, regardless of country of ownership, so B is the correct answer

102
Q

Model contracts are used to:

A. Ensure legal compliance with E.U. data protection laws
B. Any time PII is to be exchanged
C. Determine if employee data is involved
D. Comply with U.S. government agency standards

A

A. Ensure legal compliance with E.U. data protection laws

103
Q

Which one of the following statements is true about the sharing of demographic databases if there is no information that can be used to identify a particular person?

A. European companies can freely develop and share demographic databases with U.S. companies
B. U.S. companies must obtain consent from the European data subject before being able to obtain information from European companies
C. U.S. companies must obtain consent from the appropriate European data protection authority before being able to obtain information from European companies
D. Only U.S. companies in compliance with Safe Harbor can freely obtain demographic databases from European companies

A

A. European companies can freely develop and share demographic databases with U.S. companies

104
Q

The OECD guidelines:

A. Have become the foundation of most data protection laws around the world today
B. Were replaced by the Council of Europe’s COE Convention of 1981
C. Set forth basic privacy principles as agreed by a 23-nation body that includes Europe and Japan but not the United States
D. Did not receive the approval of the Federal Trade Commission (FTC)

A

A. Have become the foundation of most data protection laws around the world today

105
Q

<p>Fines for violations to the privacy requirements of the GDPR can be significant because they are based on:
<br></br>
<br></br>a. A percentage of the company’s revenues worldwide
<br></br>b. A percentage of the company’s revenues in the immediate vicinity of the breach
<br></br>c. The rate determined by the country in which the company is based
<br></br>d. None of the above</p>

A

<p>a. A percentage of the company’s revenues worldwide</p>

106
Q

Which of the following was an important factor in the European Court of Justice striking down the U.S.-EU Safe Harbor program in the case of Schrems v. Data Protection Commission?

a. Weaknesses identified in the GLBA privacy notice provisions
b. Inability of involved countries to reach consensus on individual privacy rights
c. 2013 Snowden disclosures
d. None of the above

A

c. 2013 Snowden disclosures

107
Q

Important provisions added to the GDPR within the past few years include:

a. Security breach notification
b. Updated requirements for processors
c. Designated data protection officers
d. All of the above

A

d. All of the above

108
Q

<p>Which of the following replaced the U.S.-EU Safe Harbor program?
<br></br>
<br></br>a. Binding Corporate Rules
<br></br>b. Privacy Shield Framework
<br></br>c. Standard Contract Clauses
<br></br>d. All of the above</p>

A

<p>b. Privacy Shield Framework</p>

109
Q

<p>Which of the following provisions are outlined in the EU-U.S. Privacy Shield agreement for U.S. companies importing personal data from the EU?
<br></br>
<br></br>a. Commitments by U.S. companies and U.S. authorities
<br></br>b. Rules for mergers and acquisitions
<br></br>c. Three factor encryption requirements
<br></br>d. Only a and c</p>

A

<p>a. Commitments by U.S. companies and U.S. authorities</p>

110
Q

<p>Which of the following provisions are outlined in the EU-U.S. Privacy Shield agreement for U.S. companies importing personal data from the EU?
<br></br>
<br></br>a. Private right of action by other international companies
<br></br>b. Detailed explanations of U.S. laws
<br></br>c. Three factor encryption requirements
<br></br>d. All of the above</p>

A

<p>b. Detailed explanations of U.S. laws</p>

111
Q

<p>Important provisions added to the GDPR within the past few years include:
<br></br>
<br></br>a. Increased accountability
<br></br>b. International transfer rules
<br></br>c. Sanctions of up to 4% revenues
<br></br>d. All of the above</p>

A

<p>d. All of the above</p>

112
Q

<p>Which of the following agencies is involved in ensuring that law enforcement access complies with the appropriate safeguards and oversight mechanisms of the EU-U.S. Privacy Shield framework?
<br></br>
<br></br>a. U.S. State Department
<br></br>b. U.S. Department of Commerce
<br></br>c. U.S. Federal Trade Commission
<br></br>d. None of the above</p>

A

<p>c. U.S. Federal Trade Commission</p>

113
Q

<p>GDPR provisions include:
<br></br>
<br></br>a. Individual’s right to be forgotten
<br></br>b. Individual’s right to data portability
<br></br>c. Business’s implementation of data protection by design as a default
<br></br>d. All of the above</p>

A

<p>d. All of the above</p>

114
Q

<p>Which of the following agencies is involved in ensuring that requests related to national security purposes comply with the appropriate safeguards and oversight mechanisms of the EU-U.S. Privacy Shield framework?
<br></br>
<br></br>a. U.S. Department of Justice
<br></br>b. Office of the Director of National Intelligence
<br></br>c. U.S. Department of Commerce
<br></br>d. a and b</p>

A

<p>d. a and b</p>

115
Q

<p>Which of the following is the MOST commonly used mechanism for transfers of personal data between the EU and the U.S.?<br></br><br></br>a. Company policies and procedures<br></br>b. EU-U.S. Privacy Shield Framework<br></br>c. Standard Contract Clauses (SCCs)<br></br>d. None of the above</p>

A

<p>c. Standard Contract Clauses (SCCs)</p>

116
Q

<p>Which of the following are lawful bases for transfers of personal information between the EU and the United States?
<br></br>
<br></br>a. Binding Corporate Rules (BCRs)
<br></br>b. Standard Contract Clauses (SCCs)
<br></br>c. Privacy Shield Framework
<br></br>d. All of the above</p>

A

<p>d. All of the above</p>

117
Q

<p>Which of the following best describes the SCC mechanism for transfers of personal data between the EU and the U.S.?
<br></br>
<br></br>a. U.S. company agrees contractually to comply with EU law and submit to the authority of an EU privacy supervisory agency
<br></br>b. Formally adopted framework between the U.S. and the EU
<br></br>c. Data protection policies based on data protection principles to ensure appropriate safeguards are met
<br></br>d. None of the above</p>

A

<p>a. U.S. company agrees contractually to comply with EU law and submit to the authority of an EU privacy supervisory agency</p>

118
Q

<p>Which of the following best describes a provision of the BCR mechanism for transfers of personal data between the EU and the U.S.?
<br></br>
<br></br>a. Corporate rules for multinational corporations making transfers of personal information between the EU and U.S.
<br></br>b. Required to be approved by the data protection authority in each Member EU State involved in the transfers
<br></br>c. Must satisfy EU standards for data protection
<br></br>d. All of the above</p>

A

<p>d. All of the above</p>

119
Q

<p>Which of the following is an APEC Principle for data subject rights used as a baseline for determining when access requests should be granted?
<br></br>
<br></br>a. Charge the data subject for any data provided to them at the price that makes the best profit for the data controller
<br></br>b. Determine whether it is profitable for the controller to make changes requested by the data subject
<br></br>c. Obtain confirmation from the data controller they hold personal information of the data subject
<br></br>d. All of the above</p>

A

<p>c. Obtain confirmation from the data controller they hold personal information of the data subject</p>

120
Q

Which of the following as an APEC Principle for data subject rights organizations should use as a baseline for granting access requests?

a. Communicate with the data subject within a reasonable time
b. Provide information to the data subject at a reasonable charge, if any
c. Provide information to the data subject in a reasonable manner and in a form that is easily understandable
d. All of the above

A

d. All of the above

121
Q

In Schrems v. Data Protection Commission, what was the primary reason the European Court of Justice struck down the Safe Harbor program?

a. Facebook was not following strict encryption rules for cross-border data transfers
b. The 2013 Snowden disclosures invalidated the privacy practices of the U.S.
c. Data transfer rules were non-existent
d. None of the above

A

b. The 2013 Snowden disclosures invalidated the privacy practices of the U.S.

122
Q

As an APEC Principle for data subject rights used as a baseline for granting access requests, individuals should be able to challenge the information and have it corrected or deleted, except when:

a. The burden or expense would be unreasonable or disproportionate to the risks to the individual’s privacy
b. The information should not be disclosed due to legal or security reasons or to protect confidential information
c. The information privacy of other individuals would be violated
d. All of the above

A

d. All of the above

123
Q

What was the premise of Schrems II as it relates to information privacy of cross-border data flows?

a. Facebook is engaging in inadequate encryption methods
b. Personal data from the EU is at risk for hackers during its transfer to the U.S.
c. Binding contractual clauses and Privacy Shield do not provide adequate protection from U.S. government surveillance practices
d. None of the above

A

c. Binding contractual clauses and Privacy Shield do not provide adequate protection from U.S. government surveillance practices

124
Q

Which of the following is true of international transfers of sensitive information?

A. International branches or contractors are responsible for inappropriate uses of sensitive information.
B. Multi-national corporations must also consider other countries’ regulations of personal information.
C. Personal information that is brought to the US remains subject to requirements of its country of origin.
D. US laws do not restrict geographic transfers of personal information.

A

A. International branches or contractors are responsible for inappropriate uses of sensitive information.

125
Q

A privacy impact assessment (PIA) process helps:

A. Evaluate the strengths of your existing privacy program
B. Determine the risks associated with a new operation
C. Only if you are working on a U.S. government contract
D. Only if you are building a new Website

A

B. Determine the risks associated with a new operation

126
Q

What types of PII are exempt from trans-border data regulations?

A. Medical history
B. Credit history
C. Social Security Numbers
D. Personnel records

A

C. Social Security Numbers

127
Q

What are the DPO’s responsibilities?

A
To monitor compliance with the GDPR 
• Advise controller and processors 
• Manage risk 
• Cooperate with supervisory authorities
 • Communicate with data subjects and supervisory authorities 
• Exercise professional secrecy
128
Q

examples of business activities that would cause a U.S. organization to fall under the scope of the GDPR

A

U.S. company offers a consumer cloud service in the EU

  • U.S. company expresses its intention to deal with EU users (e.g., offering services via a European domain, local currency payment, shipment to the EU, local telephone hotline numbers)
  • “U.S. company (Company A, the processor) offers data hosting services to another U.S. company (Company B, the controller). At face value, this arrangement would not be caught by the GDPR. However, if Company B (the controller) also acts on behalf of other legal entities within a group, and if personal data is transferred from these group legal entities to Company A (the processor), the arrangement may be caught by the GDPR. If one such group legal entity has an establishment in the EU (see no. 2 above), the GDPR comes into play via Article 3, Section 1.”
  • The processor is a sub-processor of a principal processor based in the EU
129
Q

True or False?

An organization that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR.

A

False

130
Q

How do the CCPA and GDPR different?

A
  • Definitions of key terms and concepts (e.g., controller)
  • No definition of sensitive data under the CCPA
  • No private right of action—except for data breaches—under the CCPA
131
Q

What is a Data Protection Officer (DPO)?

A

A staff member or contractor tasked with ensuring and demonstrating compliance with EU data protection law; an expert in data protection law and practices.

132
Q

The EU-U.S. Privacy Shield is what type of cross-border data transfer mechanism?

A. Binding corporate rule
B. Code of conduct
C. Standard contractual clause
D. Adequacy decision

A

D. Adequacy decision

133
Q

Which federal agency administers Privacy Shield?

A. State Department
B. Department of Commerce
C. Office of Management and Budget
D. Office for Civil Rights (HHS)

A

B. Department of Commerce

134
Q

True or false? Under the GDPR, both controllers and processors have record-keeping obligations.

A

True

135
Q

What are the organization’s responsibilities in relation to the DPO role?

A

Communication with/involvement of the DPO in all issues related to personal data protection

  • DPO access to personal data and processing operations
  • Resources to help carry out tasks
  • Safeguards to enable the DPO to perform tasks independently
  • DPO reports to the highest levels of management
136
Q

According to the EU Data Protection Directive, an adequate country has which of the following characteristics ?

A. is an ally of the EU
B. has signed a contract with the EU Data Protective Directive
C. has laws about individual rights that are similar to those of the EU Data Protection Directive
D. has no limitations on transfers with countries in the European Economic Area

A

C. has laws about individual rights that are similar to those of the EU Data Protection Directive

D. has no limitations on transfers with countries in the European Economic Area

137
Q

Which of the following are not considered adequate countries by the EU Data Protection Directive?

A. the US
B. Switzerland
C. Argentina
D. Canada

A

A. the US

138
Q

What forms of messaging does the Australian SPAM Act of 2003 restrict?

A. commercial messaging sent from Australia
B. commercial messaging through text messages (SMS/MMS) and instant messages
C. commercial messaging sent to Australia
D. all of the above

A

D. all of the above

139
Q

The general data protective directive was created by what governing body?

A. the US
B. the EU
C. Canada
D. Australia

A

B. the EU

140
Q

This is the major data protection law in Canada:

A. CAN SPAM Act
B. Data Protection Directive
C. Personal Information Protection and Electronic Document Act of 2001 (PIPEDA)
D. the Gramm-Leach Bliley Act

A

z

141
Q

Which of the following is considered personal information according to PIPEDA?

A. name of employee in an organization
B. information about an identifiable individual
C. title of an Employee in an Organization
D. home telephone number of an employee

A

z

142
Q

Which of the following are part of the standards regarding information collection under PIPEDA?

A. accuracy
B. child protection
C. individual access
D. accountability

A

z

143
Q

A recipient is:

A. the person who sends data
B. a third party to whom data is sent
C. an authority to whom data is sent
D. And authority that sends data

A

B. a third party to whom data is sent

144
Q

A register is:

A. where a transaction is processed
B. a listing of publicly available information
C. an official customer record
D. a database of customers

A

B. a listing of publicly available information

145
Q

What are some of the differences between US and EU data protection regulations?

A. the EU may sometimes require pre-approval before the transmission of data and the US does not

B. the EU requires one governing privacy authority for each member, while the US uses a combination of different regulations and authorities

C. the EU limits transmission of data with other countries while the US does not

D. the US is not as concerned with privacy policy as the EU

A

C. the EU limits transmission of data with other countries while the US does not

146
Q

What is Safe Harbor?

A. a policy allowing unrestricted information transmission between the EU and the US

B. an EU directive regulating the transmission of data to adequate countries, of which the US is not included

C. a policy adopted by the EU detailing standards US companies must meet in order to complete uninterrupted business with entities in the EU.

D. a US policy regarding protective regulations for children using Web sites.

A

z

147
Q

Which of the following is considered sensitive personal information under the EU Data Protection Directive?

A. religious beliefs
B. race
C. criminal convictions
D. telephone number

A

z

148
Q

Which of the following is the practice of processing personally identifiable information so that it can be seen and understood by the data subject?

A. access
B. notice
C. transparency
D. participation

A

C. transparency

149
Q

What is the main purpose of the Global Privacy Enforcement Network?

A. To promote universal cooperation among privacy authorities
B. To investigate allegations of privacy violations internationally
C. To protect the interests of privacy consumer groups worldwide
D. To arbitrate disputes between countries over jurisdiction for privacy laws

A

A. To promote universal cooperation among privacy authorities

Reference: https://en.wikipedia.org/wiki/Global_Privacy_Enforcement_Network

150
Q

What is the main reason some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices?

A. A large amount of money may have to be sent on improved technology and security
B. Industries may not be strict enough in the creation and enforcement of rules
C. A new business owner may not understand the regulations
D. Human rights may be disregarded for the sake of privacy

A

B. Industries may not be strict enough in the creation and enforcement of rules

151
Q

Which of the following is not applicable to international data transfers?

A. Fair and Accurate Credit Transactions Act
B. General Data Protection Regulation
C. The CLOUD Act
D. The Personal Information Protection and Electronic Documents Act

A

A. Fair and Accurate Credit Transactions Act

152
Q

Which of the following is not an appropriate way for an international organization operating in the US to be compliant w/ European Privacy regulations?

A. Model contracts
B. European ownership of the organization
C. Binding Corporate Rules
D. Keeping all data in the country of origin

A

B. European ownership of the organization very important to know as a privacy professional the EU laws are something to look into (as will the laws in other countries that follow be). In the US there are still restrictions on processing data on European citizens, regardless of country of ownership, so B is the correct answer

153
Q

Which is not a compatible purpose for processing data beyond the purpose originally specified at the time of collection?

A

Performance of a contract

154
Q

What may be the WORST consequence of an infringement of the processing principles?

A. A fine of up to €10m or 2% of the total worldwide annual turnover
B. A fine of up to €20m or 4% of the total worldwide annual turnover
C. A prison sentence
D. A bankruptcy order

A

B. A fine of up to €20m or 4% of the total worldwide annual turnover

155
Q

What is included in the supervisory authority’s powers?

A. Impose a temporary limitation on the processing
B. Impose a definitive limitation on the processing
C. Order the suspension of data flows
D. All of the above

A

D. All of the above

156
Q

Which body will monitor compliance with the approved codes of conduct?

A. A certification body accredited by the supervisory authority
B. The supervisory authority
C. The European Data Protection Board
D. The Data Protection Officer

A

A. A certification body accredited by the supervisory authority

157
Q

What can help the controller to demonstrate compliance with the GDPR?

A. Adherence to an approved code of conduct
B. Maintenance of the records of processing activities
C. Implementation of data protection policies
D. All of the above

A

D. All of the above

158
Q

What does the term ‘accountability’ mean in the GDPR?

A. The obligation to be able to demonstrate compliance with the GDPR
B. The obligation to explain non-compliances
C. The application of mechanisms that can reduce data protection risks
D. The implementation of a data protection policy

A

A. The obligation to be able to demonstrate compliance with the GDPR

159
Q

Which statement is TRUE about the data breach notification obligation?

A. The supervisory authority must be notified only if the breach is likely to have serious adverse effects on the affected data subjects
B. The supervisory authority must be notified only if the data were not encrypted
C. The supervisory authority must be notified only if the breach is likely to result in a risk to the rights and freedoms of natural persons
D. The supervisory authority must be notified of all breaches, unless the controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of natural persons

A

D. The supervisory authority must be notified of all breaches, unless the controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of natural persons

160
Q

In which case must the controller notify the supervisory authority?

A. A security incident occurs and the incident involves personal data
B. A security incident leads to the accidental loss of personal data
C. A risk analysis indicates that there are vulnerabilities in the processing system
D. A data subject withdraws consent to the processing

A

B. A security incident leads to the accidental loss of personal data

161
Q

In which case must the controller consult the supervisory authority PRIOR to the processing?

A. A new processor has adopted the binding corporate rules
B. A data subject has evoked his/her right of access
C. The controller has suffered several data breaches in the past
D. The results of the Data Protection Impact Assessment indicate that the processing involves a high risk that cannot be mitigated by the controller

A

D. The results of the Data Protection Impact Assessment indicate that the processing involves a high risk that cannot be mitigated by the controller

162
Q

A controller has erased personal data. In which case is the controller exempt from the obligation to notify every recipient of the erasure?

A. The processing was based on the data subject’s explicit consent
B. The personal data were inaccurate
C. Notifying the recipients would involve disproportionate effort
D. The erasure is irreversible

A

C. Notifying the recipients would involve disproportionate effort

163
Q

In which case must the controller inform the data subject of a personal data breach?

A. The breach has resulted in the loss of encrypted personal data
B. The breach involved personal data that had been rectified
C. The breach is likely to result in a high risk to the rights and freedoms of the data subject
D. The data subject had withdrawn consent to the processing before the breach occurred

A

C. The breach is likely to result in a high risk to the rights and freedoms of the data subject

164
Q

What does “transparent” communication mean?

A. Concise
B. Intelligible
C. Clear and plain language
D. All of the above

A

D. All of the above

165
Q

Finish the sentence: Transparency is an essential requirement in the controller’s communications with …

A. The data subject, the recipients of the personal data and the supervisory authority
B. The data subject, the processor and the supervisory authority
C. The processor, the recipients of the personal data and the Data Protection Officer
D. The processor and the sub-processors<p></p>

A

A. The data subject, the recipients of the personal data and the supervisory authority

166
Q

Which activity can be performed without carrying out a Data Protection Impact Assessment (DPIA)?

A. Systematic monitoring of public areas on a large scale
B. Systematic extensive evaluation of personal aspects
C. Processing with new technologies
D. Processing for the establishment, exercise or defense of legal claims

A

D. Processing for the establishment, exercise or defense of legal claims

167
Q

The GDPR requires (the representatives of) controllers and processors to “cooperate with the supervisory authority in the performance of its tasks”. This includes making the records of processing activities available to the supervisory authority. Which statement is TRUE about the obligation to make the records available to the supervisory authority?

A. The controller/processor must submit every new record to the supervisory authority
B. The controller/processor must disclose the records on request of the supervisory authority
C. The controller/processor must disclose the records where required by national law
D. The controller/processor should seek advice from the European Data Protection Board beforemaking a record available to the supervisory authority

A

B. The controller/processor must disclose the records on request of the supervisory authority<p></p>

168
Q

Both the controller and the processor are required to create and maintain records of their processing activities. Which is a mandatory element of the processor’s record?

A. A description of the categories of data subjects
B. A description of the envisaged retention periods
C. A description of the technical and organizational security measures
D. The purposes of the processing

A

C. A description of the technical and organizational security measures

169
Q

A software company takes data protection aspects into account when developing applications. What do we call this approach?

A. Data protection by default
B. Legitimate data protection
C. Data protection by design
D. Organizational data protection

A

C. Data protection by design

170
Q

Which is NOT one of the 7 foundational principles of privacy by design and by default?

A. Integrity and confidentiality
B. Visibility and transparency
C. Privacy embedded
D. Full functionality, positive sum

A

A. Integrity and confidentiality

171
Q

The GDPR requires the implementation of appropriate technical and organizational security measures. Who bears ultimate responsibility for implementing the security measures?

A. The processor
B. The independent supervisory authority
C. The data subject
D. The controller

A

D. The controller

172
Q

According to the GDPR, which is NOT a legitimate reason for transferring personal data to ‘third countries’?

A. The transfer is covered by binding corporate rules
B. The transfer is demanded by a US presidential order
C. The third country has received an adequacy decision from the European Commission
D. The controller has provided appropriate safeguards

A

B. The transfer is demanded by a US presidential order

173
Q

A controller informs a data subject that her personal data is no longer necessary and will be erased. The data subject opposes the erasure and requests the restriction of processing instead. After the processing has been restricted, what purpose can the personal data be used for?

A. The establishment, exercise or defense of legal claims
B. Archiving purposes
C. Transfer of the data to another controller
D. Journalistic purposes

A

A. The establishment, exercise or defense of legal claims

174
Q

Which right enables the data subject to have inaccurate personal data corrected by the controller?

A. The right to rectification
B. The right to data portability
C. The right to restriction of processing
D. The right to withdraw consent

A

A. The right to rectification

175
Q

In certain areas, Member States may adopt exemptions and derogations from specific provisions of the GDPR. For which type of processing may Member States adopt exemptions and derogations?

A. Processing by clubs and cultural associations
B. Processing of anonymized personal data
C. Processing by churches and religious associations
D. Processing of pseudonymized personal data

A

C. Processing by churches and religious associations

176
Q

The GDPR allows Member States to maintain or introduce further conditions with regard to the processing of certain categories of personal data. Which is an example of those categories of personal data?

A. Data concerning a person’s health
B. Data concerning a person’s economic situation
C. Data concerning a person’s personal preferences
D. Data concerning a person’s location

A

A. Data concerning a person’s health

177
Q

In which situation may the controller process sensitive data?

A. The data are necessary for marketing purposes
B. The data subject has made the data public
C. The data are archived by the controller
D. The data are only stored but not actively used by the controller

A

B. The data subject has made the data public

178
Q

Who can obtain restriction of processing?

A. Controller
B. Processor
C. Representative
D. Data subject

A

D. Data subject

179
Q

Which processing principle requires the personal data to be up to date?

A. Accuracy
B. Purpose limitation
C. Storage limitation
D. Integrity and confidentiality

A

A. Accuracy

180
Q

Which activity falls outside the scope of the GDPR?

A. Profiling
B. Storing anonymised personal data
C. Storing any type of personal data
D. Erasure of personal data

A

B. Storing anonymised personal data

181
Q

Which concept does the GDPR define as “any operation or set of operations which are performed on personal data”?

A. Controlling
B. Purpose limitation
C. Processing
D. Storage limitation

A

C. Processing

182
Q

Which data are NOT considered ‘personal data’ under the GDPR?

A. Sensitive data
B. Pseudonymized personal data
C. Anonymized personal data
D. Biometric data

A

C. Anonymized personal data

183
Q

What is the territorial scope of the GDPR?

A. EU
B. EEA
C. EFTA
D. UN

A

B. EEA

184
Q

Chapter I of the GDPR contains general provisions. Within Chapter I, which article describes that the GDPR does not apply to personal data processing by natural persons in the course of a purely personal or household activity?

A. Article 2 Material scope
B. Article 3 Territorial scope
C. Article 4 Definitions
D. Article 1 Subject-matter and objectives

A

A. Article 2 Material scope

185
Q

Which of the following activities falls within the GDPR’s material scope?

A. Member States carrying out activities for the Common Foreign and Security Policy
B. Processing of personal data wholly or partly by automated means
C. Processing of personal data by natural persons in the course of a purely personal or household
D. Processing of personal data by competent authorities for crime prevention

A

B. Processing of personal data wholly or partly by automated means

186
Q

What do we call those parts of the GDPR that explain the reasoning behind the provisions and provide us with complementary information?

A. Citations
B. Articles
C. General provisions
D. Recitals

A

D. Recitals

The GDPR consists of two components: the articles and recitals.
The articles constitute the legal requirements organizations must follow to demonstrate compliance.The recitals provide additional information and supporting context to supplement the articles.

187
Q

Which body monitors the processing of personal data by EU institutions?

A. European Data Protection Board
B. European Data Protection Supervisor
C. Independent supervisory authority
D. Article 29 Working Party

A

A. European Data Protection Board

The European Data Protection Board (EDPB) is an independent European body which shall ensure the consistent application of data protection rules throughout the European Union. The EDPB has been established by the General Data Protection Regulation (GDPR).

188
Q

The GDPR defines a certain data protection role as “… the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Which role is this?

A. Processor
B. Controller
C. Supervisory authority
D. Data protection officer

A

B. Controller

189
Q

Which EU legal instrument applies directly to all Member States?

A. Directive
B. Decision
C. Executive order
D. Regulation

A

D. Regulation

EU treaties and EU regulations are directly applicable. They do not need any other acts of parliament in the member state to make them into law. Therefore, once a treaty is signed or a regulation is passed in Brussels by the Council of Ministers, it instantly becomes applicable in all member states.

190
Q

Which legal document is considered the cornerstone of all privacy legislation?

A. European Convention on Human Rights
B. EU Charter of Fundamental Rights
C. Universal Declaration of Human Rights
D. EC Implementing Decision 2016-7-12 (EU-US Privacy Shield)

A

C. Universal Declaration of Human Rights

191
Q

The GDPR does not describe the concept of ‘privacy’. Which European Union (EU) legal document contains an Article 7 on the right to ‘respect for private and family life’?

A. EU Charter of Fundamental Rights
B. DIRECTIVE 95/46/EC
C. General Data Protection Regulation
D. DIRECTIVE 2016/680

A

A. EU Charter of Fundamental Rights

192
Q

Which European Union (EU) legal document forms the basis for all EU privacy and data protection legislation?

A. UN Universal Declaration of Human Rights
B. DIRECTIVE 95/46/EC
C. EU Charter of Fundamental Rights
D. General Data Protection Regulation

A

D. General Data Protection Regulation (EU)

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

193
Q

The GDPR requires controllers to perform a Data Protection Impact Assessment (DPIA) where the processing “is likely to result in a high risk to the rights and freedoms of natural persons”. As a DPO, which activity would you subject to a DPIA in any event?

A. HR and recruitment
B. Access rights management
C. Supplier relationship management
D. Accounting and bookkeeping

A

A. HR and recruitment

A DPIA is required at least in the following cases: a systematic and extensive evaluation of the personal aspects of an individual, including profiling; processing of sensitive data on a large scale; systematic monitoring of public areas on a large scale.

The EDPB advises that high risk processing areas that may necessitate a DPIA are processing that involves new technologies or AI, genetic or biometric data, decisions made which are based on automated processing including profiling of data subjects, any large scale processing or combination of data from different data.

194
Q

Bicsma’s marketing department uses a popular online marketing platform to create newsletter campaigns. The platform is operated by a U.S.-based service provider. As Bicsma’s DPO, you need to advise Bicsma on how to use the platform and remain GDPR-compliant. What will you do?

A.Verify whether the provider has joined the EU-U.S. Privacy Shield framework. If the answer is yes, the issue requires no further action from Bicsma. The Privacy Shield framework has obtained an adequacy decision from the European Commission, and personal data transfers under an adequacy decision are regarded as intra-EEA transfers.
B.Inform the relevant stakeholders that the platform should not be used until Bicsma and the provider sign a legally binding agreement.
C.Check whether the provider has a representative in the EU. If there is an EU-representative, GDPR-compliance is automatically ensured.
D.Read the provider’s data protection policy. If the policy states that the provider will process personal data in accordance with the GDPR, it is safe to use the service.

A

B.Inform the relevant stakeholders that the platform should not be used until Bicsma and the provider sign a legally binding agreement.

The correct answer is B.

The GDPR requires controllers to conclude binding agreements with all their processors. It is true that the U.S. has obtained an adequacy decision, the scope of which is limited to those U.S. organisations that comply with the Privacy Shield. It is also true that the GDPR regards personal data transfers under an adequacy decision as intra-EEA transfers. Yet the controller’s obligation to conclude legally binding agreements with its processors applies to all controller-processor relationships. The GDPR contains no specifications on the binding agreement:it may be drawn up either by the processor or the controller, and it may be a standard document which the controller accepts when accepting the terms of use. The only important point is that the agreement must be binding and must address all the requirements set out in Article 28 of the GDPR.The GDPR mandates that non-EU controllers and processors who process the personal data of individuals who are in the EU appoint a representative in the EU. Yet responsibilities for compliance with the GDPR cannot be transferred to the representative and having a representative is no guarantee for a controller’s or processor’s GDPR-compliance. Similarly, a processor’s data protection policy does not guarantee that the processor will process personal data in line with the GDPR.

195
Q

Which of the following statements is correct?

A. ‘Risk appetite’ refers to the amount of risk an organization needs to take in order to achieve its strategic objectives.
B. ‘Risk capacity’ refers to the amount of risk an organization needs to take in order to achieve its strategic objectives.
C. ‘Risk tolerance’ refers to the amount of risk an organization can afford to take.
D. ‘Risk appetite’refers to the amount of risk an organisation can afford to take.

A

B.‘Risk capacity’ refers to the amount of risk an organization needs to take in order to achieve its strategic objectives.

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings.

Risk tolerance is the degree of risk or uncertainty that is acceptable to an organization.Risk capacity, unlike tolerance, is the amount of risk that the investor “must” take in order to reach their financial goals

196
Q

The illegal collection, storage, modification, disclosure or dissemination of personal data is an offense by European law. What kind of offense is this?

A) a content related offense
B) an economic offense
C) an intellectual property offense
D) a privacy offense

A

D) a privacy offense

A) Incorrect. A content related offense concerns dissemination of racist statements, (child) pornography or information inciting violence.
B) Incorrect. Economic offenses relate to unauthorized access to systems (hacking, distribution of viruses, etc.) computer espionage, -forgery, and -fraud.
C) Incorrect. Intellectual property offenses pertain to violations of copyright and related rights.
D) Correct. Any illegal processing of personal data is an offense

197
Q

How are privacy and data protection related to each other?

A) Data protection is a subset of privacy.
B) Privacy is a subset of data protection.
C) They are the same thing.
D) You cannot have privacy without data protection.

A

D) You cannot have privacy without data protection.

A) Incorrect. Privacy spans a lot of concepts like spatial, relational, bodily and information privacy. Data protection has no relation to some of these.
B) Incorrect. Privacy spans a lot of concepts like spatial, relational, bodily and information privacy. Data protection helps to guarantee some of these.
C) Incorrect. Data protection for example has nothing to do with spatial privacy.
D) Correct. Within the confines of my home I can have lots of privacy, without any data protection at all. See Course slides8-9 (day 1)

198
Q

What is the GDPR mainly intended for?

A) To be a common ground upon which the member states can build their own laws.
B) To make non-EU countries respect the right to privacy of individuals within the EU.
C) To secure privacy as a fundamental human right for everyone.
D) To strengthen and unify data protection for individuals within the EU.

A

D) To strengthen and unify data protection for individuals within the EU.

A) Incorrect. The GDPR is a regulation, meaning it will repeal the data protection laws in the member states.
B) Incorrect. Its main objective is aimed at defining the data protection rights of individuals within the EU.
C) Incorrect. The GDPR does explicitly state data protection is a fundamental right, but its scope is limited to individuals within the EU.
D) Correct. The scope of the GDPR is limited to data protection as a right of individuals within the EU and aims to harmonize the rules for that within the EU. See:Course slide 24(day 1) European legislation on data protection.

199
Q

The General Data Protection Regulation (GDPR) is related to personal data protection. What is the definition of personal data?

A) any information relating to an identified or identifiable natural person
B) any information that the European citizens would like to protect
C) data that directly or indirectly reveal someone’s racial or ethnic background, religious views, and data related to health or sexual habits
D) preservation of confidentiality, integrity and availability

A

A) any information relating to an identified or identifiable natural person

A) Correct. This is the official definition of the data protection. See: GDPR2016/679 Article 4: definition.
B) Incorrect. This definition is too generic.
C) Incorrect. This is the definition of sensitive data not of generic personal data.
D) Incorrect. This is the definition of information security from ISO/IEC 27000:2014.

200
Q

According to the General Data Protection Regulation (GDPR), which personal data category is regarded as sensitive data?

A) credit card details
B) trade union membership
C) passport number
D) social security number

A

B) trade union membership

A) Incorrect. Credit card details are not sensitive data according to the GDPR.
B) Correct. Membership of a trade union is sensitive data. See: GDPR art. 9 and Special categories of personal data, Course slide 58.
C) Incorrect. Passport details are not sensitive data according to the GDPR.
D) Incorrect. A social security number is not sensitive data ac

201
Q

According to the General Data Protection Regulation (GDPR), what is the definition of ‘processing’ of personal data?

A) any operation that can be performed on personal data
B) any operation that can be performed on personal data, except erasing and destroying
C) only operations in which the data is being shared on social media or transferred by email or otherwise through the Internet
D) only operations in which the personal data is used for the purposes for which it was collected

A

A) any operation that can be performed on personal data

A) Correct. See:GDPR art.4 (2)
B) Incorrect.‘Processing’ means any operation which is performed on personal data.
C) Incorrect.‘Processing’ means any operation which is performed on personal data.
D) Incorrect.‘Processing’ means any operation which is performed on personal data.

202
Q

“An independent public authority which is established by a Member State pursuant to Article 51.” Which role in data protection is defined?

A) Controller
B) Processor
C) Supervisory / Data Protection Authority
D) Third party

A

C) Supervisory / Data Protection Authority

A) Incorrect. See:GDPR2016/679, Article 4.
B) Incorrect. See:GDPR2016/679, Article 4.
C) Correct. See:GDPR2016/679, Article 4 and Article 51.
D) Incorrect. See:GDPR2016/679, Article 4.

203
Q

Which of the examples of personal information may qualify as sensitive personal information? Select all that apply.

A. Social Security number
B. Bank account number
C. Driver’s license number
D. Home phone number
E. Professional membership
F. Medical history
G. Business email address
A

A. Social Security number
B. Bank account number
C. Driver’s license number
F. Medical history

204
Q

True or False

An organization that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR.

A

False

205
Q

The EU-U.S. Privacy Shield is what type of cross-border data transfer mechanism?

A. Binding corporate rule
B. Code of conduct
C. Standard contractual clause
D. Adequacy decision

A

D. Adequacy decision

206
Q

Which federal agency administers Privacy Shield?

A. State Department
B. Department of Commerce
C. Office of Management and Budget
D. Office for Civil Rights (HHS)

A

B. Department of Commerce

207
Q

Which of the following are data subject rights under the GDPR? Select all that apply.

A. Data portability
B. Rectification of inaccurate or incomplete personal data
C. Erasure
D. Restriction of processing

A

A. Data portability
B. Rectification of inaccurate or incomplete personal data
C. Erasure
D. Restriction of processing

208
Q

Which of the following are data subject rights under the GDPR? Select all that apply.

A. Data portability
B. Rectification of inaccurate or incomplete personal data
C. Erasure
D. Restriction of processing

A

A. Data portability
B. Rectification of inaccurate or incomplete personal data
C. Erasure
D. Restriction of processing

209
Q

If a data subject refuses to answer a required question during data collection do they forfeit their right to access?

A. yes
B. no
C. depends on the situation
D. only if they have a criminal record

A

B. no

210
Q

What is provided in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms?

A. The right of every individual to vote in his or her own country.
B. The right of public authorities to collect certain necessary personal data.
C. The right to respect for an individual’s privacy and family life.
D. The right of consumers to freely choose their service provider.

A

C. The right to respect for an individual’s privacy and family life.