Practice Exam Flashcards
How does the GDPR define ‘processing’?
Any operation or set of operations performed on personal data or on sets of personal data.
Body of Knowledge Domain II, Subdomain A
The correct answer is B. Processing is defined by the Regulation as ‘any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’. See Article 4(2) of the GDPR.
A breach of security leading to the accidental destruction or loss of personal data triggers notification obligations. According to Article 33(2) of the GDPR, how soon must the data processor notify the data controller about such breach of security?
Without undue delay after becoming aware of the personal data breach.
Body of Knowledge Domain II, Subdomain G
The correct answer is C. A data breach occurs when the data for which an organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, the organisation must notify the supervisory authority without undue delay and at the latest within 72 hours after becoming aware of the breach. If the organisation is a data processor, it must notify the data controller of any data breach without undue delay after becoming aware of it. If the data breach poses a high risk to those affected, then the controller should inform the data subjects unless there are effective technical and organisational protection measures that have been put in place or other measures that ensure the risk is no longer likely to materialise. As an organisation, it is vital to implement appropriate technical and organisational measures to avoid possible data breaches. See Article 33(2) of the GDPR.
Under the GDPR, when processing an individual’s personal data in the context of direct marketing activities, data controllers must do which of the following?
A. Provide individuals with the categories of any third parties who will rely on the consent.
B. Encrypt the personal data being processed prior to using it for marketing purposes.
C. Disclose to individuals the specific lawful basis for the collection and use of the personal data.
D. Provide individuals with information explaining that their personal data will be used for marketing purposes.
Provide individuals with information explaining that their personal data will be used for marketing purposes.
Body of Knowledge Domain III, Subdomain C
The correct answer is D. Under the GDPR, an organisation must disclose to data subjects how their personal data will be used and must obtain unambiguous consent for direct marketing unless the direct marketing falls under the basis of legitimate interest. However, the organisation is not required to disclose the lawful basis for processing to data subjects. In addition, organisations must disclose to consumers the actual names of any third parties with whom the data will be shared; providing the categories under which those third parties are classified is not sufficient. Encryption must be considered but is not required under the GDPR although it is a best practice for cybersecurity.
A full and valid set of binding corporate rules (BCRs) must include specific elements. Which of the following is NOT one of the required elements?
A. A list of the specific categories of personal data to be processed under the BCR.
B. A list of all controllers and processors for data transfers not affected by the BCR.
C. A list of the methods through which the BCRs are communicated to data subjects.
D. A list of the tasks of any person in charge of monitoring compliance with the BCR.
B. A list of all controllers and processors for data transfers not affected by the BCR.
Body of Knowledge Domain II, Subdomain I
The correct answer is B. Article 47 of the GDPR specifically references BCRs as legally binding data transfer mechanisms. It sets forth data subjects’ enforceable rights as well as the elements that must be included. In addition to the three elements listed within the options are the details of the data transfers; the legally binding nature, both internally and externally, of the BCR; the acceptance for liability for any breaches of the BCR; the tasks of the data protection officer, if any; and how the BCR is communicated to the data subject.
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?
CJEU can force national governments to implement and honour EU law, while the ECHR cannot.
Body of Knowledge Domain I, Subdomain B
The correct answer is B. The ECHR is not an institution of the EU; instead, it is part of the apparatus of the Council of Europe, a broader group of member states than the EU. The ECHR was founded in 1959 to oversee the European Convention on Human Rights. Thus, it enforces the European Convention on Human Rights rather than EU law.
While the ECHR’s powers don’t encompass the implementation of EU law, the CJEU can force national governments to administer and honour EU law. The CJEU interprets EU law to make sure it is applied in the same way in all EU countries and settles legal disputes between national governments and EU institutions. It can also, in certain circumstances, be used by individuals, companies or organisations to take action against an EU institution if they feel it has somehow infringed their rights.
According to GDPR Article 56, what is a lead supervisory authority’s (LSA) main concern?
Cross-border processing.
Body of Knowledge Domain II, Subdomain J
The correct answer is C. A lead supervisory authority (LSA) is assigned when a company operates in multiple EU jurisdictions. Article 56 requires, without prejudice to Article 55, that the supervisory authority of the main establishment or of the single establishment of the controller or processor be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. Additionally, Article 60(1) creates duties of cooperation for cross-border processing. While the LSA is concerned with data subject rights, data access disputes and special categories of data, the lead role was established specifically for dealing with cross-border issues.
Which of the following would most likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?
A. The behaviour of suspected terrorists being monitored by EU law enforcement bodies.
B. Personal data of EU residents being processed by non-EU businesses that target EU customers.
C. The behaviour of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
D. Personal data of EU citizens being regularly processed by a controller or processor based outside the EU.
B. Personal data of EU residents being processed by non-EU businesses that target EU customers.
Body of Knowledge Domain II, Subdomain B
The correct answer is B. Whereas many of the requirements listed above could potentially trigger the extraterritorial effect of the GDPR, the processing of EU residents’ personal data by a non-EU business that targets data subjects in the EU will always do so. If a non-EU company explicitly targets EU customers, then it is subject to GDPR compliance.
Each of the following is a valid transfer mechanism data controllers may rely upon to legally transfer EU personal data outside of the EU EXCEPT?
A. Industry standards.
B. Binding corporate rules.
C. Adequacy determination.
D. Standard contractual clauses.
A. Industry standards.
Body of Knowledge Domain II, Subdomain I
The correct answer is A. While industry standards and certifications of adherence to them are useful in demonstrating compliance capabilities, they would first need to be approved by the EU Commission to be considered a valid transfer mechanism. As of November 2021, the EU Cloud Code of Conduct, based on ISO standards, is the only approved code/certification under the GDPR.
Which of the following is NOT amongst the rights and freedoms that must be considered when balancing privacy rights under the GDPR?
A. Right to a fair trial.
B. Freedom of expression.
C. Right to self-determination.
D. Freedom to conduct a lawful business.
C. Right to self-determination.
Body of Knowledge Domain I, Subdomain C
The correct answer is C. The right to self-determination is an important right in democratic societies. It allows people to freely determine their political status and pursue economic, social and cultural development. However, it is not a right explicitly called out in the GDPR.
The right to a fair trial, freedom of expression and freedom to conduct a lawful business are rights mentioned in Recital 4 of the GDPR.
A high-security bank requires members to use fingerprint identification to access specific vaults. The bank retains those records to determine who obtained access and when. The bank must determine the lawful basis for processing under the GDPR.
Which lawful basis would most likely apply to this type of processing activity?
A. The bank must require members to provide consent to the processing of their fingerprints for the purposes of uniquely identifying them according to Article 9(2)(a).
B. The bank must have a legitimate interest according to Article 6(1)(f) and proceed with undertaking a balance test with the fundamental rights and freedoms of the data subject.
C. The bank must rely on processing for the carrying out of obligations if authorised by member state law under Article 9(2)(b) and proceed with conducting a data protection impact assessment.
D. The bank must halt the implementation altogether since Article 9(1) prohibits organisations from collecting and processing biometric data for the purpose of uniquely identifying their members.
B. The bank must have a legitimate interest according to Article 6(1)(f) and proceed with undertaking a balance test with the fundamental rights and freedoms of the data subject.
Body of Knowledge Domain II, Subdomain D
The correct answer is B. Under the GDPR, biometric data, such as fingerprints, is a special category of personal data. Biometric data is unique to each person and cannot be changed at will. It is therefore important to protect this type of data properly. As such, under Article 9(2) of the GDPR, biometric data may only be processed in certain cases, for example when the data subject has given explicit consent to the processing, for reasons of substantial public interest, for reasons of public interest in the area of public health, or when the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or member state law. Proving legitimate interest would be the bank’s only legal basis; the legitimate interest being that it is necessary to provide the appropriate level of security the members expect of the bank and that the processing relates solely to the members. While it might seem reasonable to obtain explicit consent, consent would not apply here as it is non-negotiable (EDPB Guidelines 05/2020).
Administrative fines imposed under GDPR Article 83 must be?
Effective, proportionate, and dissuasive.
Body of Knowledge Domain II, Subdomain K
The correct answer is D. According to the GDPR, Art. 83, ‘Each supervisory authority (SA) shall ensure that the imposition of administrative fines pursuant to this Article due to infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective,
proportionate, and dissuasive’.
Supervisory authorities can levy significant fines against entities for GDPR violations which vary depending on the nature of the violation. However, before imposing a fine, the SA must consider a variety of factors (Article 83(2)). A proposed fine can be challenged in court and attempts to impose exorbitant fines have been rejected by the courts.
Much of the GDPR builds upon the Data Protection Directive. Which of the following data subject rights is the only right that did NOT exist in some form in the Directive?
A. The right of access.
B. The right to rectification.
C. The right to data portability.
D. The right to restrict processing.
C. The right to data portability.
Body of Knowledge Domain II, Subdomain F
The correct answer is C. The right to data portability did not exist in the Data Protection Directive; portability was one of the notable new inclusions in the GDPR. The Directive did allow for some right of access, although the GDPR expanded the categories of data that could be requested. The scope of the right to rectification was included in the Directive and was largely unchanged by the GDPR. Similarly, the Directive already allowed data subjects to restrict processing by requesting that certain data be ‘blocked’.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?
Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s privacy office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees’ computer activity and their location. During these activities, the information security team discovered that one employee from Italy was connecting daily to a video library of movies and another from Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company’s computers and from working remotely without authorisation.
Assessed potential privacy risks by conducting a data protection impact assessment.
Body of Knowledge Domain III, Subdomain A
The correct answer is B. Since Building Block is considered a data controller, most of the responsibilities for compliance with GDPR falls to the data controller. The data controller is responsible for providing information to the data subjects, ensuring that processing has a legitimate basis and that the data subject’s rights are honoured, carrying out data protection impact assessments in the case of high-risk processing, ensuring that there is appropriate security for data, and determining whether notification to data protection authorities (DPAs) or data subjects is necessary in case of a personal data breach.
What would be the most appropriate way for Building Block to handle the situation with the employee from Italy?
Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s privacy office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees’ computer activity and their location. During these activities, the information security team discovered that one employee from Italy was connecting daily to a video library of movies and another from Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company’s computers and from working remotely without authorisation.
Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
Body of Knowledge Domain III, Subdomain A
The correct answer is C. As required by the notice requirement under the Regulation, employers must provide employees with sufficient information about the monitoring activity. This transparency is important not only to meet the notice requirement but also to set employees’ expectations about how their time at work will be monitored. Setting expectations is central to ensuring that monitoring is lawful.
If employees have not been told that their behaviour will be monitored in the workplace, they have a greater expectation of privacy. Informing employees of how they will be monitored can reduce that expectation. It is not, however, possible for an employer to argue that a lack of privacy in the workplace is acceptable just because the employer has warned employees that they have no workplace privacy. A court or DPA would not recognise such a comprehensive warning as legitimate since the law recognises that workers enjoy a certain degree of privacy in the workplace that cannot be completely eradicated.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?
Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s privacy office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees’ computer activity and their location. During these activities, the information security team discovered that one employee from Italy was connecting daily to a video library of movies and another from Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company’s computers and from working remotely without authorisation.
Information about whom employees should contact for any queries.
Body of Knowledge Domain III, Subdomain A
The correct answer is B. The European Data Protection Supervisor issued ‘Guidelines on personal data and electronic communications in the EU institutions’ in December 2015, which align with guidance in the Regulation and in the ePrivacy Directive. Amongst other information to be provided to employees, companies should inform them of their rights, including whom to contact and how to do so, in the event of questions or concerns.
Which of the following would most likely NOT be covered by the definition of ‘personal data’ under the GDPR?
A. A payment card number of a Dutch citizen.
B. A U.S. Social Security number of an American citizen living in France.
C. An email address titled info@business.com monitored by a specific individual.
D. An identification number of a German candidate for a professional examination in Germany.
C. An email address titled info@business.com monitored by a specific individual.
Body of Knowledge Domain II, Subdomain A
The correct answer is C. ‘Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. A general email address for a business would not be considered personal data as it does not relate to and cannot be used to identify an individual.
Under Article 17(1) (right to erasure or ‘right to be forgotten’), what is a controller required to do when they receive a proper request for erasure from a data subject?
Inform all third-party controllers processing shared personal data that they must delete it.
Body of Knowledge Domain II, Subdomain F
The correct answer is D. According to GDPR Article 17(1), when a data subject submits a proper
request that their personal data be erased, the controller must not only delete that data, where
specific grounds apply, but when the controller has made the data public, it must inform third parties who are processing the published personal data as controllers that the data subject has exercised their right to erasure. A list of additional controllers does not need to be provided to the data subject under Article 17 as part of the controller’s requirements to meet the erasure request; however, Article 13 does set forth requirements for disclosure of shared data.
Backup data need not be deleted immediately; however, the controller must ensure that access to restoring the data is limited and can only be done once there has been a thorough review to ensure there has been no deletion request. There is no requirement for providing a copy of all deleted information.
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) had in common but largely failed to achieve in Europe?
The synchronisation of the approaches to data protection.
Body of Knowledge Domain I, Subdomain A
The correct answer is C. The OECD Guidelines, Convention 108 and the Data Protection Directive all had the goal of a synchronised approach to data protection, but it wasn’t until the GDPR that the harmonised approach that each of them failed to achieve was realised. The OECD created a non- binding series of guidelines that served as the basis for many future laws. Convention 108, a Council of Europe treaty, stemmed partly from the OECD and was available for countries to utilise starting in 1981. In 1995, the European Union passed the Data Protection Directive (Directive 95/46/EC) which was Europe’s primary data protection law until the GDPR went into effect on 25 May 2018.
A directive, unlike a regulation such as the GDPR, requires member states to enact their own legislation that serves as a country’s version of that directive. One goal with the GDPR was to move to a regulation, which was a single law that applied automatically to the member states, creating a more synchronised and harmonised approach to data protection.
An organisation wants to use a digital identity verification app to authenticate the identities of new customers. Customers will be asked to upload a photo ID document such as passport, driving licence or national ID and then asked to upload a picture of their face in the app. The ID document’s authenticity is checked, and biometrics are used to ensure the ID document belongs to the customer.
What step should the organisation take to ensure the data minimisation principle is implemented when collecting the personal data?
Ask customers for consent to process the personal data for the purpose of verifying their identity.
Body of Knowledge Domain II, Subdomain C
The correct answer is C. Processing biometric data for the purpose of identification is high-risk processing under the GDPR, so a data protection impact assessment is likely to be required for this activity. The assessment should consider whether this processing activity is necessary and whether the information collected is necessary to meet the purpose of identity verification and consider the minimum amount of information required to fulfil the purpose identified. The data minimisation principle states that personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.
Which of the following is NOT one of the seven EU-U.S. and Swiss-U.S. Privacy Shield Principles?
A. Choice.
B. Access.
C. Security.
D. Storage limitation.
D. Storage limitation.
Body of Knowledge Domain II, Subdomain I
The correct answer is D. The seven Privacy Shield Principles are (1) notice; (2) choice; (3) security;
(4) access; (5) accountability for onward transfer; (6) data integrity and purpose limitation; and (7) recourse, enforcement and liability. Once an organisation publicly commits to comply with the Privacy Shield Principles, that commitment is enforceable by the U.S. Federal Trade Commission under the authority of Section 5 of the FTC Act (prohibition on deceptive acts).
When determining whether to impose an administrative fine and its amount, a supervisory authority takes into account the intentional or negligent character of the infringement. Which of the following is another criterion that would have a bearing on the amount of the fine?
A. The actions the data controller takes to mitigate the damage suffered by data subjects.
B. The type of industry in which the data controller conducts the core of its business activities.
C. The data controller’s insurance policy for security breaches and relevant coverage thresholds.
D. The liability limitations in the commercial contract between the data controller and the data processor.
A. The actions the data controller takes to mitigate the damage suffered by data subjects.
Body of Knowledge Domain II, Subdomain K
The correct answer is A. Article 83(2) of the GDPR provides a list of criteria the supervisory authorities are expected to use in the assessment both of whether a fine should be imposed and the amount of the fine. One of the criteria when determining whether to impose an administrative fine is any action taken by the controller or processor to mitigate the damage suffered by data subjects. See Art. 83(2) of the GDPR and WP29 ‘Guidelines (253/2017) on the application and setting of administrative fines for the purposes of the Regulation 2016/679’.
Under the GDPR, which of the following statements is TRUE regarding a data subject’s right to opt out of direct marketing?
A. The opt-out request can be expedited by charging a reasonable fee to the data subject.
B. The right to opt out must be exercised within 30 days of the first communication with the data subject.
C. The right to opt out excludes the retention of profiling data provided that all other personal data is deleted.
D. The right to opt out applies to direct marketing sent in any way, including by post, phone and electronic mail.
D. The right to opt out applies to direct marketing sent in any way, including by post, phone and electronic mail.
Body of Knowledge Domain III, Subdomain C
The correct answer is D. Under the GDPR, the right to opt out applies to all direct marketing formats. Data subjects have the right to opt out at any time. No fee may be charged to a data subject exercising the right to opt out.
Pursuant to Article 32(1) of the GDPR, which is a technical and organisational measure to ensure a level of security appropriate to the assessed risks?
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Body of Knowledge Domain II, Subdomain G
The correct answer is B. The GDPR stipulates the following possibilities to ensure the security of
personal data with an adequate level of protection: (i) the pseudonymisation and encryption of
personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; or (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
According to the GDPR, the principles of data protection continue to apply to pseudonymised and encrypted data but do not apply to anonymised data since the latter no longer relates to an identified or identifiable individual.
Therefore, while data pseudonymisation and data encryption are security-enhancing technologies for the protection of personal data stored in databases, data anonymisation is a type of data sanitisation by which personal data are cleansed from databases to the point that the GDPR is no longer applicable. See Article 32(1) of the GDPR.
According to the GDPR, how is pseudonymous personal data defined?
The potential harm caused if there was a personal data breach.
Body of Knowledge Domain II, Subdomain A
The correct answer is D. The GDPR defines pseudonymisation as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. Pseudonymous data would include profiles that can be connected to an individual even where the controller does not, in fact, intend to make this connection. Pseudonymous data shall not be considered anonymous.