IAPP CIPP-E Certified Information Privacy Professional/Europe Exam Practice Test

Page: 1 / 14
Total 295 questions

Want more questions? Get Premium Access.
()

Question 1

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users' ethnic origin, nationality, and gender. Which would be the most appropriate legal basis for this processing under GDPR, Article 9 (Processing of special categories of personal data)?

A. Processing necessary for scientific or statistical purposes. B. Processing necessary for reasons of substantial public interest. C. Processing necessary for purposes of preventive or occupational medicine. D. Processing necessary for the defense of legal claims in potential negligence cases.

Answer :

Under Article 9 of the GDPR, processing of special category data (e.g., ethnicity, health data) is prohibited unless an exception applies.

Why is C the correct answer?

AI-based medical devices fall under 'preventive or occupational medicine' as per GDPR Article 9(2)(h).

The AI system is used to detect skin cancer, a form of preventive medicine, making this the appropriate basis.

Why are other answers incorrect?

A (Scientific research or statistical purposes) While scientific research can be a legal basis, it requires additional safeguards such as anonymization, which may not be feasible in this case.

B (Substantial public interest) While public health is important, this processing is specific to medical diagnosis, making Article 9(2)(h) more appropriate.

D (Defense of legal claims) Legal claims are not relevant here, as the processing is for bias mitigation in AI training.

Question 2

What monitoring may lawfully be performed within the scope of Gentle Hedgehog's business?

A. Everything offered by Sauron Eye's software in relation to activity by sales team contractors. B. Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring. C. Only emails, website browsing history, and camera for internal video calls conducted in a non-secure environment. D. Only emails, website browsing history, and camera for internal video calls that are expressly marked as monitored.

Answer :

Under GDPR and EU employment law, employee monitoring must comply with the principles of necessity, proportionality, legitimacy, and transparency.

Legal requirements for employee monitoring:

Necessity: Employers must demonstrate that monitoring is necessary for a legitimate purpose.

Proportionality: The monitoring must be the least intrusive method available.

Transparency: Employees must be fully informed about what is being monitored.

Why is D the correct answer?

GDPR requires that monitoring must be explicitly communicated and justified.

Employers can monitor work emails, browsing history, and video calls, but only if employees are clearly informed and the purpose is justified.

Why are other answers incorrect?

A (Monitoring all contractor activity) Contractors have data protection rights too; monitoring must still be necessary and proportionate.

B (Daily consent requirement) Employee consent is not valid under GDPR in most cases due to power imbalance.

C (Monitoring in non-secure environments only) The location does not determine the lawfulness of monitoring.

Conclusion: The correct answer is D, as only explicitly marked and justified monitoring is lawful under GDPR.

Question 3

The Murla HB Club should have carried out a DPIA before the installation of the new access system AND at what other time?

A. After the complaint of the supporter B. Periodically, when new risks were foreseen C. At the end of every match of the season. D. After the AEPD notification of the investigation.

Answer :

A Data Protection Impact Assessment (DPIA) is required under Article 35 of the GDPR when data processing is likely to result in a high risk to individuals' rights and freedoms. This includes processing involving new technologies, systematic monitoring, or the large-scale processing of sensitive data.

When should a DPIA be conducted?

Before implementing a new high-risk processing activity (e.g., a biometric access system).

Whenever a significant change in risk occurs (e.g., security updates, regulatory changes, new threats).

Regularly to reassess and mitigate emerging risks.

Why is B the correct answer?

DPIAs are not a one-time process; they must be reviewed periodically to assess new risks.

Why are other answers incorrect?

A (After the complaint) A DPIA is a proactive measure, not something done only after a complaint.

C (At the end of the season) GDPR does not require assessments to be tied to event cycles.

D (After regulatory notification) DPIAs must be done before investigations, not as a response.

Conclusion: DPIAs should be conducted periodically when new risks arise, making B the correct answer.

Question 4

Through a combination of hardware failure and human error, the decryption key for a bank's customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A. A data breach has not occurred because the loss was not the result of hacking. B. A data breach has not occurred because no data was exposed to any unauthorized individual. C. A data breach has occurred because the loss of the key has resulted in the data no longer being accessible. D. A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer :

Under the GDPR (Article 4(12)), a personal data breach is defined as:

'A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed'.

Why Answer Choice D is Correct

Loss of Encryption Key = Loss of Data Availability

The loss of the decryption key means that the bank can no longer access customer transaction data.

Availability is a fundamental aspect of data security (Article 32). Loss of availability constitutes a breach under GDPR.

Loss of Confidentiality & Integrity

If the encryption key is lost, data cannot be decrypted, meaning it is effectively destroyed or altered.

This qualifies as a data breach under GDPR since data integrity and confidentiality are compromised.

Why Other Answer Choices Are Incorrect:

A (No Breach Because No Hacking):

GDPR does not require hacking for a breach to occur. A loss of access alone can qualify.

B (No Breach Because No Unauthorized Access):

Unauthorized disclosure is one type of breach, but GDPR also covers loss and destruction of personal data.

C (Data Breach Due to Inaccessibility):

Partially correct but does not fully explain the GDPR criteria. GDPR defines breaches in terms of confidentiality, integrity, and availability---all of which are affected.

Conclusion:

This incident is a data breach under GDPR, as it impacts data confidentiality, integrity, and availability.

The correct answer is D, because losing the decryption key compromises data integrity and availability, qualifying as a data breach under GDPR Article 4(12).

Question 5

Once an organization has conducted an internal investigation to determine the scope of a ransomware attack, what is the appropriate next step in the process?

A. Assess the risks associated with the breach and, if necessary, notify affected individuals and regulatory bodies within the relevant timeframes. B. Notify law enforcement and consult with legal counsel to understand the implications of the breach and the notification requirements. C. Inform all customers and the public via social media platforms to ensure rapid dissemination of relevant information. D. Wait for law enforcement to provide guidance on notification procedures before taking any further action.

Answer :

The GDPR (General Data Protection Regulation) has strict data breach response requirements, particularly for ransomware attacks that affect personal data. The appropriate next step after an internal investigation is to assess the risks associated with the breach and notify affected parties if necessary.

Key GDPR Breach Response Steps (Article 33 & 34):

Assess the risks to personal data

If the breach poses a risk to individuals' rights and freedoms, the supervisory authority (DPA) must be notified within 72 hours.

If there is a high risk, affected individuals must also be informed without undue delay.

Why Answer Choice A is Correct

Risk assessment is a critical first step after an internal investigation.

If the breach meets the risk threshold, notification to authorities and individuals is required under GDPR.

Why Other Answer Choices Are Incorrect:

B (Notify Law Enforcement First): While law enforcement may be involved, GDPR does not mandate consulting law enforcement before conducting a risk assessment or notifying individuals.

C (Informing the Public Immediately): Public disclosure via social media is not a GDPR requirement. Affected individuals and DPAs should be formally notified first.

D (Waiting for Law Enforcement): GDPR does not allow waiting for law enforcement before fulfilling notification obligations. Controllers must act within 72 hours.

Conclusion: The correct next step after an internal investigation is to assess the risks and, if necessary, notify affected individuals and regulatory bodies as required under GDPR Articles 33 and 34.

Question 6

How can the relationship between the GDPR and the Digital Services Act, the Data Governance Act and the Digital Markets Act most accurately be described?

AThe aforementioned legal acts do not refer to (i.e., do not mention) the GDPR.

BThe aforementioned legal acts apply without prejudice (i.e., in parallel) to the GDPR.

CThe aforementioned legal acts change specific provisions (i.e., certain articles) of the GDPR.

DThe aforementioned legal acts contain some sector-specific exemptions (i.e., only for certain businesses) from the GDPR.

Answer : B

The GDPR is the EU's general data protection regulation that applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. The GDPR sets out the principles, rights and obligations for the protection of personal data, as well as the enforcement and cooperation mechanisms among the data protection authorities and the European Data Protection Board.

The Digital Services Act (DSA), the Data Governance Act (DGA) and the Digital Markets Act (DMA) are part of the EU's digital strategy that aims to create a single market for data and digital services, by supporting responsible access, sharing and re-use of data, while respecting the values of the EU and in particular the protection of personal data. These legal acts do not change or replace the GDPR, but rather complement and reinforce it, by addressing specific issues and challenges related to the digital economy and society. The DSA, the DGA and the DMA explicitly state that they apply without prejudice to the GDPR and that they respect and uphold the fundamental rights and freedoms of individuals, including the right to the protection of personal data.

The DSA is a proposal for a regulation that seeks to harmonise the rules and responsibilities of online intermediaries, such as platforms, hosting services, cloud providers and online marketplaces, in order to ensure a safe and trustworthy online environment for users and businesses. The DSA introduces a set of obligations for online intermediaries, such as transparency, accountability, due diligence, cooperation and reporting, depending on their size, role and impact. The DSA also establishes a new governance and cooperation system among the national authorities and the European Commission, as well as a mechanism for out-of-court dispute resolution.

The DGA is a proposal for a regulation that aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. The DGA introduces a new legal framework for data sharing services, such as data brokers, data marketplaces, data trusts and data cooperatives, that facilitate data exchange between data holders and data users. The DGA also sets out rules and requirements for data altruism, which is the voluntary consent of individuals or organisations to share data for the common good. The DGA also establishes a new governance model for data sharing in the EU, involving the European Data Innovation Board, the national competent authorities and the European Commission.

The DMA is a proposal for a regulation that intends to limit the power of large online platforms that act as gatekeepers in the digital market, by imposing a set of obligations and prohibitions to prevent unfair practices and ensure fair and open competition. The DMA defines the criteria and the procedure for identifying the gatekeepers, such as search engines, social networks, online marketplaces, app stores and cloud services, that have a significant impact and influence in the digital economy. The DMA also provides for the supervision and enforcement of the rules by the European Commission, as well as the possibility of imposing fines and sanctions for non-compliance.

GDPR, Articles 1, 2, 3, 4, 5, 6, 7, 8, and 9.

DSA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

DGA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

DMA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

Question 7

All of the following will be established by the second Network and Information Security Directive ("NIS2") EXCEPT?

ABaseline cybersecurity measures that each covered entity must address.

BPowers to inspect, audit, or require information from covered organizations.

CA common controls framework that every organization must adopt.

DA new network for EU member states to cooperate on large-scale breaches.

Answer : C

The NIS2 Directive is the EU's legislation on cybersecurity that updates and replaces the previous NIS Directive. It aims to create a high common level of cybersecurity across the EU by setting up legal measures for the security of network and information systems used by essential and important entities in various sectors and by enhancing cooperation among the member states. The NIS2 Directive does not establish a common controls framework that every organization must adopt, but rather allows each member state to define the appropriate security measures and incident reporting requirements for the entities under its jurisdiction, taking into account the specificities of each sector and subsector. However, the NIS2 Directive does provide some general principles and objectives for the security measures, such as proportionality, risk-based approach, state of the art, and regular review and update. The NIS2 Directive also introduces minimum harmonised rules for the supervision and enforcement of the security measures and incident reporting obligations, including the possibility of imposing administrative fines.

NIS2 Directive, Articles 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

The NIS2 Directive: A high common level of cybersecurity in the EU, pages 1, 2, 3, 4, 5, 6, 7, and 8.