Frågor som test Flashcards
According to the General Data Protection Regulation (GDPR), when does an
organisation need to take action to legitimise cross-border data transfers of personal
data?
A. When the data is routed through another jurisdiction, whether the other jurisdiction is in or outside the European Union.
B. When the data is transferred from one jurisdiction within the European Union to
another jurisdiction within the European Union.
C. When the data is transferred from a jurisdiction outside the European Union to a
member state of the European Union.
D. When the data is transferred from a jurisdiction in the European Union to a third
country which is not deemed adequate.
The correct answer is D. Body of Knowledge Domain II(I): European Data Protection Law and
Regulation (International Data Protection Transfers)
An organization needs to take action to legitimise cross-border data transfers when the data
is transferred from a jurisdiction in the EU to a third country which is not deemed adequate.
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer
personal data to a third country or an international organisation only if the controller or
processor has provided appropriate safeguards, and on condition that enforceable data
subject rights and effective legal remedies for data subjects are available. See GDPR
Article 46.
- Which is an example of direct marketing?
A. An email sent to an individual about an order she has placed for a book.
B. An email sent to an individual promoting a new book which is on sale.
C. A letter addressed to ‘the household’ about a charity bookstore.
D. An advertisement on a website promoting a new book which is on sale.
- The correct answer is B. Body of Knowledge Domain III(C): Compliance with European Data
Protection Law and Regulation (Direct Marketing)
An email sent to an individual promoting a new book which is on sale is an example of direct
marketing. The term ‘direct marketing’ refers specifically to the communication, by whatever
means, of any advertising or marketing material directed to particular individuals. This means
that data protection laws apply to the sending of marketing messages only where individuals’
personal data is processed in order to communicate the marketing message to them.
Marketing that does not entail processing of any personal data and is therefore not directed
at individuals (for example, untargeted website banner advertisements), is not subject to
data protection compliance. In addition, messages that are purely service-related in nature
(messages sent to individuals to inform them, for example, about the status of an order they
have placed) do not generally constitute direct marketing. The GDPR does, however, provide
the data subject the right to object to processing for the purposes of direct marketing. See
GDPR Recitals 47 and 70, GDPR Article 21, and Article 29 Working Party Opinion 5/2004.
- When should a controller notify the supervisory authority of a loss of personal information which is likely to result in harm to an individual?
A. Within 72 hours after the controller becomes aware of it.
B. No later than 5 calendar days after the incident is identified.
C. Without unreasonable delay but no later than 30 days.
D. Notification to the supervisory authority is not required.
- The correct answer is A. Body of Knowledge Domain II(K): European Data Protection Law and
Regulation (Consequences for GDPR Violations)
In the case of a personal data breach, the controller shall without undue delay and, where
feasible, not later than 72 hours after having become aware of it, notify the personal data
breach to the supervisory authority competent in accordance with Article 55, unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of natural
persons. Where the notification to the supervisory authority is not made within 72 hours, it
shall be accompanied by reasons for the delay. See GDPR, Article 33.
- Under what condition is processing ‘sensitive employee data’ acceptable?
A. The processing is necessary to improve the quality of the employer-employee
relationship.
B. The processing is necessary for the data controller to carry out their obligation in the field of employment law.
C. The processing is necessary for the interest of both the data controller and the employee.
D. The processing is necessary for the interests pursued by the data controller.
- The correct answer is B. Body of Knowledge Domain III(A): Compliance with European Data
Protection Law and Regulation (Employment Relationships)
GDPR Article 9(2)(b) provides that processing of sensitive employee data is acceptable when
the condition of ‘processing is necessary for the purposes of carrying out the obligations and
exercising specific rights of the controller’. The GDPR allows the processing of ‘sensitive
employee data’ if the controller has ‘explicit’ consent from the data subject and the business
obligation of the controller are justifiable reasons to process sensitive information. It is also
acceptable if the ‘data subject has given explicit consent to the processing of those personal
data for one or more specified purposes’.
- Why do binding corporate rules (BCRs) prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services?
A. Because BCRs only provide adequate safeguards for organisations who move data outside their corporation.
B. Because BCRs secure transfers to third parties without needing to fulfil additional requirements.
C. Because BCRs only deal with intra-organisational transfers and not with transfers to third parties.
D. Because BCRs require contractual arrangements to legitimize international transfers of data.
The correct answer is C. Body of Knowledge Domain II(I): European Data Protection Law and
Regulation (International Data Transfers)
BCRs would not provide a basis to transfer names of employees to a telecom provider in the
same country in order to provide them with mobile phone services because BCRs only deal
with intra-organisational transfers and not with transfers to third parties. BCRs are
specifically designed to provide for adequate safeguards within multinational corporations
who move data within their corporation. See GDPR, Recital 110 and Articles 4(20) and 47.
- Under the GDPR, would a European company be allowed to use video surveillance to monitor employee access to inventory?
A. No, under the GDPR, using video surveillance is never allowed.
B. No, video surveillance is too intrusive a solution for inventory access.
C. Yes, provided that the company complies with specific conditions.
D. Yes, without any further conditions to be taken into account.
The correct answer is C. Body of Knowledge Domain III(A): Compliance with European Data
Protection Law and Regulation (Employment Relationships)
Certain conditions must be met for a European company to use video surveillance to monitor
employee access to inventory. Although the GDPR makes no specific reference to
surveillance, the use of video in the employment context amounts to the processing of
personal data, so the GDPR will apply. The data controller will be required to carry out a
balancing exercise to ensure that the surveillance is proportionate (see GDPR, Article 4) and
that the processing is lawful (see GDPR, Article 6(1)) and any derogations to member states.
See GDPR, Article 88.
- Which institution is responsible for ensuring that directives are implemented properly by the member states?
A. European Court of Justice.
B. European Commission.
C. European Parliament.
D. European Data Protection Supervisor.
The correct answer is B. Body of Knowledge Domain I(B): Introduction to European Data
Protection (European Union Institutions)
The European Commission is responsible for ensuring member state implementation. The
Commission not only acts as the executive body and influences the legislative function but
also acts as a guardian of the treaties by monitoring compliance of the other institutions,
member states, and ‘natural and legal persons’. To fulfil this task, Articles 226 and 228 of the
EC Treaty grant the Commission the power to take legal and administrative action, including
the power to impose a fine against a member state that has failed to comply with the law.
Articles 230 and 232 provide the necessary supervisory powers over the other institutions.
Article 1(18) of the Lisbon Treaty states that the Commission shall ensure the application of
the Treaties, and of measures adopted by the institutions pursuant to them. It shall oversee
the application of Union law under the control of the Court of Justice of the European Union.
- What is true for a contract based on European Commission standard contractual clauses with a processor outside the European Economic Area?
A. For subcontracting, the processor must inform the controller and obtain written approval.
B. Before the processing starts, the processor must obtain permission from the European Commission.
C. The data subject must consent to processing by a processor located outside of the European Economic Area.
D. The processor must provide a compliance statement from its data protection authority.
The correct answer is A. Body of Knowledge Domain II(H): European Data Protection Law and
Regulation (Accountability Requirements)
When using contracts based on European Commission standard contractual clauses, before
subcontracting, the processor must inform the controller and obtain written approval. Article
28(2) of the GDPR states that a processor shall not engage another processor without prior
specific or general written authorisation of the controller. This is reinforced in the
subprocessing clause of the standard contractual clauses where it clearly obliges the
processor to obtain prior written consent for the use of a subprocessor.
- Which is NOT a compatible purpose for processing data beyond the purpose originally specified at the time of collection?
A. Performance of a contract.
B. Transferring data to an archive.
C. Statistical purposes.
D. Historical or scientific research.
The correct answer is A. Body of Knowledge Domain II(D): European Data Protection Law and
Regulation (Lawful Processing Criteria)
Performance of a contract is not a compatible purpose for processing data beyond the
purpose originally specified at the time of collection. The GDPR does allow for further
© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
processing of data for ‘archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, in accordance with Article 89(1)’ as compatible
with initial purposes. See GDPR, Article 5(1); Article 89(1).
- Along with legitimacy, what is another condition that must be met when carrying out employee monitoring?
A. The monitoring must be in the public interest at the time of collection.
B. The monitoring must be done during agreed-upon time constraints.
C. The monitoring must be performed under an employment contract.
D. The monitoring must be limited to what is necessary for the purposes.
The correct answer is D. Body of Knowledge Domain III(B): Compliance with European Data
Protection Law and Regulation (Surveillance Activities)
Employee monitoring must be limited to what is necessary for the purposes, be done lawfully,
and should follow the principles relating to the processing of personal data as outlined in the
GDPR, Article 5. An employer must consider whether the proposed monitoring is
proportionate to the employer’s concern. The wholesale monitoring of all employee emails to
ensure that employees are not passing on confidential information about the employer would
be disproportionate. However, wholesale monitoring of emails may be proportionate to
ensure the security of the employer’s IT systems where such monitoring is carried out using
technical means that detect weaknesses in the system. See GDPR, Article 5(1).
- Which is an example of cloud computing?
A. A software package installed on a laptop.
B. A web-based email platform.
C. A portable mass storage device.
D. A single web server.
The correct answer is B. Body of Knowledge Domain III(D): Compliance with European Data
Protection Law and Regulation (Internet Technologies and Communications)
A web-based email platform is an example of cloud computing. ‘Cloud computing’ refers to
the provision of IT services over the internet. In cloud computing, data is stored, managed
and/or processed on a network of remote servers over the internet.
- According to the GDPR, the right to data portability applies:
A. When processing was originally based on the user’s consent.
B. When the processing was based on a public interest.
C. When the processing was done through ‘manual means’.
D. When the processing was based on the controller’s legitimate interests.
The correct answer is A. Body of Knowledge Domain II(F): European Data Protection Law and
Regulation (Data Subject Rights)
Right to data portability applies when the data processing is based on the user’s consent or on
a contract and the data processing is carried out by automated means. It does not apply to
‘processing necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller’. See GDPR, Article 20.
- A collection is part of a historical research initiative. Which is the most accurate statement concerning the obligations imposed by the GDPR?
A. As a regulation rather than a directive, the GDPR sets forth binding provisions for EU member states to follow without discretion.
B. The GDPR provides a framework which member states can choose to use as a basis for national legislation.
C. As a regulation rather than a directive, the GDPR sets forth binding provisions for EU member states to follow but it leaves them discretion in some areas.
D. The GDPR imposes binding obligations on all EU member states as well as on all countries deemed ‘adequate’ by the European Commission.
- The correct answer is C. Body of Knowledge Domain I(C): Introduction to European Data
Protection (Legislative Framework)
As a regulation rather than a directive, it is directly imposed on the member states as a
national law, without the need for a local implementation act. However, in some key areas
the GDPR leaves the member states room to implement further rules or to deviate from the
GDPR. In fact, about 50 provisions in the GDPR allow for local law clarification or exception.
- Which is the most accurate statement concerning the obligations imposed by the GDPR regarding notification of data processing activities?
A. Notification is now optional but is recommended to foster the transparency of data processing activities.
B. Notification remains mandatory to finance the national data protection authority’s operations.
C. Notification is no longer required as the GDPR has switched to an accountability framework.
D. Notification is required of all processors but is not required of controllers.
- The correct answer is C. Body of Knowledge Domain II(H): European Data Protection Law and
Regulation (Accountability Requirements)
The GDPR has abolished the need to notify the DPAs of processing of personal data activities
given the shift to an accountability framework that includes appointment of DPOs and
maintains a register of data processing activities. See GDPR, Articles 30 and 37.
- Which, according to the GDPR, is NOT one of the considerations that should be taken into account to determine the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk?
A. Costs of implementation.
B. The state of the art.
C. Scope of processing.
D. The size of the organisation.
The correct answer is D. Body of Knowledge Domain II(G): European Data Protection Law and
Regulation (Security of Personal Data)
The size of the organisation is not one of the considerations to be taken into account in
determining the appropriate technical and organisational measures to ensure a level of data
security appropriate to the risk. Article 32 of the GDPR, which focuses on the security of
processing, provides that ‘the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and severity
for the rights and freedoms of natural persons’ be taken into account so that ‘the controller
and the processor shall implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk …’. The article continues by identifying
appropriate measures that can be employed. Though the size of the organisation may affect
the costs of implementation, it, by itself, is not a determining factor.
- Which is NOT a special category of data?
A. Political affiliation.
B. Health information.
C. Ethnic origin.
D. Social Security number.
The correct answer is D. Body of Knowledge Domain II(A): European Data Protection Law and
Regulation (Data Protection Concepts)
Social Security numbers are not considered a special category of data under the GDPR. Article
9 of the GDPR defines special categories of personal data to include: racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union membership, the processing
of genetic or biometric data for uniquely identifying a person, and the processing of data
concerning health, sex life or sexual orientation.
- Which institution has the power to adopt adequacy findings for the European Union?
A. Working Party 29.
B. European Commission.
C. European Data Protection Supervisor.
D. European Court of Justice.
The correct answer is B. Body of Knowledge Domain I(A): Introduction to European Data
Protection (Origins and Historical Context of Data Protection Law)
The European Commission has the power to adopt adequacy findings. Article 45 of the GDPR
specifically states that the Commission may find, in accordance with the elements of Article
45, that a third country ensures an adequate level of protection within the meaning of this
Article, by reason of its domestic law or of the international commitments it has entered into,
and the existence of an independent supervisory authority, for the protection of the private
lives and basic freedoms and rights of individuals. Unlike the Directive, the GDPR gives the
Commission the power to revoke a finding of adequacy; it also gives the newly formed
European Data Protection Board advisory powers related to adequacy decisions.
- Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to send electronic marketing information?
A. The recipients are existing customers.
B. The controller is a non-profit organisation.
C. The data subject and controller work in the same industry.
D. The recipient’s email address is taken from a public register.
The correct answer is A. Body of Knowledge Domain III(C): Compliance with European Data
Protection Law and Regulation (Direct Marketing)
Under the e-Privacy Directive, data controllers may send electronic marketing information to
existing customers. Article 13(2) of the e-Privacy Directive states that when a person or
business obtains from its customers their electronic contact details for electronic mail, in the
context of the sale of a product or a service, the same entity may use these electronic
contact details for direct marketing of its own similar products or services provided that
customers clearly and distinctly are given the opportunity to object, free of charge and in an
easy manner, to such use of electronic contact details when they are collected and on the
occasion of each message in case the customer has not initially refused such use. See also
European Privacy, pp. 42; e-Privacy Directive, Article 13(2).
- Under the GDPR, organizations that are not established in the EU that monitor behaviour will be subject to the Regulation when:
A. The equipment being used for monitoring is located in the EU.
B. The behaviour being monitored occurs within the EU.
C. The individual being monitored is a citizen of an EU member state.
D. The individual being monitored is an EU citizen visiting the United States.
The correct answer is B. Body of Knowledge Domain II(B): European Data Protection Law and
Regulation (Territorial and Material Scope of the GDPR)
Under the GDPR, non-EU organizations that monitor behaviour of EU individuals will also be
subject to the Regulation provided that the behaviour being monitored occurs within the EU.
Some examples of monitoring provided by the European Data Protection Board include:
tracking individuals online to create profiles, behavioural advertising, geolocation tracking,
online tracking through cookies, and CCTV. See GDPR article 3(2).
- Big data projects often gather and generate a multitude of data and relations that lead to additional data derivation opportunities. Which of the following statements is correct with regard to big data?
A. Big data projects are exempt from the proportionality principle of the GDPR.
B. Big data projects are subject to case-by-case review under the GDPR.
C. Big data projects are subject to the proportionality principle of the GDPR.
D. Big data projects are permitted to retain all data collected prior to the GDPR taking effect.
The correct answer is C. Body of Knowledge Domain II(C): European Data Protection Law and
Regulation (Data Processing Principles)
The proportionality principle is based on necessity. Data should be processed only as
necessary and should be proportionate to the specific processing needs. The Article 29
Working Party stated that all data protection principles, including data minimization, apply to
big data projects, despite the challenges that will arise. Article 5(1)(c) of the GDPR states
data collected must be “adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (‘data minimization’).”
- Under the GDPR, privacy notices relating to services intended for children, must be:
A. In a concise, transparent, intelligible, easily accessible form for adults to understand and explain to the child.
B. In a concise, transparent, intelligible, easily accessible form and in language the child can understand.
C. In concise legal language comprehendible to a subject matter expert or legal professional.
D. In the same format as privacy notices intended for adults as children are not addressed separately under the GDPR.
The correct answer is B. Body of Knowledge Domain II(E): European Data Protection Law and
Regulation (Information Provision Obligations)
Under GDPR Article 12(1), the privacy notice should be conveyed in a concise, transparent,
intelligible and easily accessible form, using clear and plain language, in particular for any
information addressed specifically to a child. The Regulation is clear that to process
children’s data under the legal basis of consent, not only does the language of the privacy
notice have to comply, but the consent must come from the ‘holder of personal responsibility
over the child’.
- If a third-country data controller or processor does not wish to comply with the supervisory authority decision, then under the GDPR, the supervisory authority has the power:
A. To waive its decision as its powers are limited to the EU and its member states.
B. To carry out its actions outside the EU without the target country’s consent.
C. To force the data controller or processor to relocate to an EU member state.
D. To order the suspension of data flows to a recipient in the third country.
The correct answer is D. Body of Knowledge Domain II(J): European Data Protection Law and
Regulation (Supervision and Enforcement)
Under GDPR Article 58(2)(j), each supervisory authority shall have the power to order the
suspension of data flows to a recipient in a third country or to an international organization.
