Sanple Questions Book

Question 1

Which treaty established the European Economic Community

Answer 1

The treaty of Rome

Question 2

Which European institution audits the European Union

Answer 2

The European court of Auditors

Question 3

What is the executive body of the European Union?

Answer 3

The European Commission

Question 4

What directive or law is the most likely document referred to by a data protection officer for marketing via email

Answer 4

The e-Privacy directive

Question 5

When is consent most likely not required?

Answer 5

When it involves public data

Question 6

What are third parties required to do when collecting personal data on behalf of a controller ?

Answer 6

The third parties are required to identify the controller for which the personal data are collected

Question 7

Example of a data breach

Answer 7

Wrongly addressed email

Question 8

Is processing personal data without the required processing agreement a data breach

Answer 8

No it is illegal processing but it is no breach of a security measure and hence no data breach in the context of GDPR

Question 9

Do you need to re-perform DPIAs for similar processing?

Answer 9

No

Question 10

What is the best description of standard contractual clauses?

Answer 10

Model clauses for personal data exchanges with countries outside the European Union

Question 11

What is Binding corporate rule ?

Answer 11

BCD are a set of rules between a groups members that describe their data protection policies in a way that indicates full compliance with GDPR

Question 12

Name a country Not considered adequate

Answer 12

Australia

Question 13

Who determines whether a country has an adequate level of protection?

Answer 13

The European Commission

Question 14

At the moment of drafting GDPR, what new possibility did it provide?

Answer 14

Codes of conduct for international data transfer

Question 15

What is NOT a role of the data protection agency ?

Answer 15

Provide tools and templates for GDPR implementation

Question 16

What is not one of the supervisory authority’s investigative powers

Answer 16

To find individuals for not cooperating with an investigation

Question 17

When are sensitive personal data about employees allowed to be processed without consent

Answer 17

When it is necessary for carrying out obligations in the field of employment law

Question 18

Why do binding corporate rules (BCRs) prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services?

Answer 18

Because BCRs only deal with intra-organisational transfers and not with transfers to third parties.

Question 19

GDPR Article 12(3)

Answer 19

requires that the controller or employer responds without undue delay or within a month.

Question 20

What is NOT and what is a compatible purpose for processing data beyond the purpose originally specified at the time of collection?

Answer 20

Performance of a contract is not a compatible purpose for processing data beyond the purpose originally specified at the time of collection. The GDPR does allow for further processing of data for ‘archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1)’ as compatible with initial purposes. S

Question 21

According to the GDPR, the right to data portability applies when …

Answer 21

Right to data portability applies when the data processing is based on the user’s consent or on a contract and the data processing is carried out by automated means.

It does not apply to ‘processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ 


Question 22

do organisations have to notify about data processing activities?

Answer 22

The GDPR has abolished the need to notify the DPAs of processing of personal data activities given the shift to an accountability framework that includes appointment of DPOs and maintains a register of data processing activities. 


Question 23

According to the GDPR, what is NOT one of the considerations that should be taken into account to determine the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk?

Answer 23

The size of the organisation is not one of the considerations to be taken into account in determining the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk. Article 32 of the GDPR, which focuses on the security of processing, provides that ‘the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons’ be taken into account so that ‘the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk

Question 24

Under the GDPR, organizations that are not established in the EU that monitor behaviour will be subject to the Regulation when

Answer 24

Under the GDPR, non-EU organizations that monitor behaviour of EU individuals will also be subject to the Regulation provided that the behaviour being monitored occurs within the EU.