PRACTICE QUESTIONS Flashcards
Practice Questions
According to the General Data Protection Regulation (GDPR), when does an organisation need to take action to legitimise cross-border data transfers of personal data?
A. When the data is routed through another jurisdiction, whether the other jurisdiction is in or outside the European Union.
B. When the data is transferred from one jurisdiction within the European Union to another jurisdiction within the European Union.
C. When the data is transferred from a jurisdiction outside the European Union to a member state of the European Union.
D. When the data is transferred from a jurisdiction in the European Union to a third country which is not deemed adequate.
D
Which is an example of direct marketing?
A. An email sent to an individual about an order she has placed for a book.
B. An email sent to an individual promoting a new book which is on sale.
C. A letter addressed to ‘the household’ about a charity bookstore.
D. An advertisement on a website promoting a new book which is on sale.
B
When should a controller notify the supervisory authority of a loss of personal information which is likely to result in harm to an individual?
A. Within 72 hours after the controller becomes aware of it.
B. No later than 5 calendar days after the incident is identified.
C. Without unreasonable delay but no later than 30 days.
D. Notification to the supervisory authority is not required.
A
Under what condition is processing ‘sensitive employee data’ acceptable?
A. The processing is necessary to improve the quality of the employer-employee relationship.
B. The processing is necessary for the data controller to carry out their obligation in the field of employment law.
C. The processing is necessary for the interest of both the data controller and the employee.
D. The processing is necessary for the interests pursued by the data controller.
B
A large law firm in France wants to transfer employee names to a telecom provider to offer employees mobile phone services. The telecom provider’s headquarters are located in Spain. Why would binding corporate rules be ineffective in protecting the transferred data:
A. Because BCRs only provide adequate safeguards for organisations who move data outside their corporation.
B. Because BCRs secure transfers to third parties without needing to fulfil additional requirements.
C. Because BCRs only deal with intra-organisational transfers and not with transfers to third parties.
D. Because BCRs require contractual arrangements to legitimize international transfers of data.
C
Under the GDPR, would a European company be allowed to use video surveillance to monitor employee access to inventory?
A. No, under the GDPR, using video surveillance is never allowed.
B. No, video surveillance is too intrusive a solution for inventory access.
C. Yes, provided that the company complies with specific conditions.
D. Yes, without any further conditions to be taken into account.
C
Which institution is responsible for ensuring that directives are implemented properly by the member states?
A. European Court of Justice.
B. European Commission.
C. European Parliament.
D. European Data Protection Supervisor.
B
What is true for a contract based on European Commission standard contractual clauses with a processor outside the European Economic Area?
A. For subcontracting, the processor must inform the controller and obtain written approval.
B. Before the processing starts, the processor must obtain permission from the European Commission.
C. The data subject must consent to processing by a processor located outside of the European Economic Area.
D. The processor must provide a compliance statement from its data protection authority.
A
Which is NOT a compatible purpose for processing data beyond the purpose originally specified at the time of collection?
A. Performance of a contract.
B. Transferring data to an archive.
C. Statistical purposes.
D. Historical or scientific research.
A
Along with legitimacy, what is another condition that must be met when carrying out employee monitoring?
A. The monitoring must be in the public interest at the time of collection.
B. The monitoring must be done during agreed-upon time constraints.
C. The monitoring must be performed under an employment contract.
D. The monitoring must be limited to what is necessary for the purposes.
D
Which is an example of cloud computing?
A. A software package installed on a laptop.
B. A web-based email platform.
C. A portable mass storage device.
D. A single web server.
B
According to the GDPR, the right to data portability applies:
A. When processing was originally based on the user’s consent.
B. When the processing was based on a public interest.
C. When the processing was done through ‘manual means’.
D. When the processing was based on the controller’s legitimate interests.
A
A collection is part of a historical research initiative. Which is the most accurate statement concerning the obligations imposed by the GDPR?
A. As a regulation rather than a directive, the GDPR sets forth binding provisions for EU member states to follow without discretion.
B. The GDPR provides a framework which member states can choose to use as a basis for national legislation.
C. As a regulation rather than a directive, the GDPR sets forth binding provisions for EU member states to follow but it leaves them discretion in some areas.
D. The GDPR imposes binding obligations on all EU member states as well as on all countries deemed ‘adequate’ by the European Commission.
C
Which is the most accurate statement concerning the obligations imposed by the GDPR regarding notification of data processing activities?
A. Notification is now optional but is recommended to foster the transparency of data processing activities.
B. Notification remains mandatory to finance the national data protection authority’s operations.
C. Notification is no longer required as the GDPR has switched to an accountability framework.
D. Notification is required of all processors but is not required of controllers.
C
Which, according to the GDPR, is NOT one of the considerations that should be taken into account to determine the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk?
A. Costs of implementation.
B. The state of the art.
C. Scope of processing.
D. The size of the organisation.
D
Which is NOT a special category of data?
A. Political affiliation.
B. Health information.
C. Ethnic origin.
D. Social Security number.
D
Which institution has the power to adopt adequacy findings for the European Union?
A. Working Party 29.
B. European Commission.
C. European Data Protection Supervisor.
D. European Court of Justice.
B
Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to send electronic marketing information?
A. The recipients are existing customers.
B. The controller is a non-profit organisation.
C. The data subject and controller work in the same industry.
D. The recipient’s email address is taken from a public register.
A
Under the GDPR, organizations that are not established in the EU that monitor behaviour will be subject to the Regulation when:
A. The equipment being used for monitoring is located in the EU.
B. The behaviour being monitored occurs within the EU.
C. The individual being monitored is a citizen of an EU member state.
D. The individual being monitored is an EU citizen visiting the United States.
B
Big data projects often gather and generate a multitude of data and relations that lead to additional data derivation opportunities. Which of the following statements is correct with regard to big data?
A. Big data projects are exempt from the proportionality principle of the GDPR.
B. Big data projects are subject to case-by-case review under the GDPR.
C. Big data projects are subject to the proportionality principle of the GDPR.
D. Big data projects are permitted to retain all data collected prior to the GDPR taking effect.
C
Under the GDPR, privacy notices relating to services intended for children, must be:
A. In a concise, transparent, intelligible, easily accessible form for adults to understand and explain to the child.
B. In a concise, transparent, intelligible, easily accessible form and in language the child can understand.
C. In concise legal language comprehendible to a subject matter expert or legal professional.
D. In the same format as privacy notices intended for adults as children are not addressed separately under the GDPR.
B
If a third-country data controller or processor does not wish to comply with the supervisory authority decision, then under the GDPR, the supervisory authority has the power:
A. To waive its decision as its powers are limited to the EU and its member states.
B. To carry out its actions outside the EU without the target country’s consent.
C. To force the data controller or processor to relocate to an EU member state.
D. To order the suspension of data flows to a recipient in the third country.
D
Will a mexican retailer which operates in the mexican environment aapoints a processor in Spain be subject to GDPR.
No. but the processor will be.
If a Chinese e-commerce website has an office in Berlin running commercial prospection and marketing campaigns for EU markets will it be processing personal data in context of its German establishment.
Yes.
will the GDPR apply if a French controller has a car-sharing application only available in Morocco, Algeria, and Tunisia but the data processing activities are carried out by the controller in France
yes, citizenship is not determinative.
Will the collection of a US tourist’s personal data by a US company running a news site directed at the US market be subject to the GDPR, while they are travelling through a EU member states.
No, this was inadvertent. the company doesn’t intend to target individuals in the EU.
will processing of data collected on a fitness app to identify technical errors be considered compatible with the original purpose of suggesting personalised fitness routines?
yes, because improving the efficiency of the fitness app is linked to the original purpose
will the sharing of data gathered from an app designed to remind patients to take their medicine dose, with a pharmaceutical company that sells the medication.
no, this is not linked to the original purpose.
Sara applied for a role as an Typist at ABC Company in May 2024. Can ABC Company retain her CV information for future roles?
Yes, if the Sara is made aware and consents for the retention of the CV for future recruitment exercises.
