IAPP CIPP-E Exam Practice Test Instant Access

Question 1

ISO 31700 has set forth requirements relating to consumer products and services. In particular, this international standard focuses on the implementation of which of the following?

APrivacy by design.

BComprehensive ethical Al software.

CPrivacy notices for companies providing services to consumers.

DAutomated systems for identifying EU data subjects' personal data.

Answer : A

ISO 31700 is an international standard that provides high-level requirements and recommendations for organizations that use privacy by design (PbD) in the development, maintenance and operation of consumer goods and services. PbD is a concept that aims to integrate privacy into products, services and systems by default, following seven main principles: proactive not reactive, privacy as the default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy. PbD is also a legal requirement under many prominent privacy regulations across the world, such as the GDPR. ISO 31700 is based on a consumer-centric approach, where the consumer's privacy rights and preferences are placed at the center of product development and operation.

Question 2

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, if exfiltration of job application data (submitted through online application forms and stored on a webserver) resulted in personal information being accessible to unauthorized persons, this would be primarily considered what kind of breach?

AAn integrity breach.

BAn accuracy breach.

CAn availability breach.

DA confidentiality breach.

Answer : D

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

Question 3

In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

AIf the cookies do not track personal data, then pre-checked boxes are acceptable.

BIf the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

CIf a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

DIf a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Answer : B

The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user's device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.

Question 4

As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his

name, and has used the email address registered in your system.

What would be the most appropriate way to confirm the identity of the customer?

ARequest that the customer provide his bank account number.

BRequest that the customer answer additional security questions.

CRequest a copy of the customer's last bank account statement.

DRequest a copy of the customer's government-issued ID document.

Answer : B

According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

Question 5

A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country's laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use

All of the following factors would be relevant for the company to consider EXCEPT'?

AAny onward transfers, such as transfers of personal data to a sub-processor in the same or another third country.

BThe process of modernization in the third country concerned and their access to emerging technologies that rely on international transfers of personal data

CThe technical, financial, and staff resources available to an authority m the third country concerned that may access the personal data to be transferred

DThe contractual clauses between the data controller or processor established in the European Union/EEA and the recipient of the transfer established in the third country concerned

Answer : B

Question 6

Articles 13 and 14 of the GDPR provide details on the obligation of data controllers to inform data subjects when collecting personal dat

a. However, both articles specify an exemption for situations in which the data subject already has the information.

Which other situation would also exempt the data controller from this obligation under Article 14?

AWhen providing the information would go against a police order.

BWhen providing the information would involve a disproportionate effort

CWhen the personal data was obtained through multiple source in the public domain

DWhen the personal data was obtained 5 years before the entry into force of the GDPR

Answer : B

According to Article 14 of the GDPR, the data controller must provide the data subject with certain information when collecting personal data from a source other than the data subject1.However, there are some exceptions to this obligation, such as when the data subject already has the information, or when the provision of such information proves impossible or would involve a disproportionate effort2.The latter exception may apply, for example, when the personal data are collected from a large number of sources, or when the personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes3.The data controller must take appropriate measures to protect the data subject's rights and interests, and make the information publicly available2.Reference:1: Art.14 GDPR -- Information to be provided where personal data have not been obtained from the data subject2: Article 14(5)(b) of the GDPR3: Recital 62 of the GDPR.

Question 7

Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

APrivacy dashboard notice

BVisualization notice.

CJust-in-lime notice.

DLayered notice.

Answer : A

According to the Article 29 Working Party, a just-in-time notice is a type of privacy notice that provides processing information at specific points of data collection, such as when the user clicks on a certain feature or enters personal data1.This kind of notice is commonly recommended for AI-based technologies because it allows the user to receive relevant and timely information about the processing of their data, without being overwhelmed by lengthy and complex privacy statements1.A just-in-time notice can also be combined with other types of notices, such as layered notices or privacy dashboards, to provide a more comprehensive and user-friendly transparency framework1. Therefore, option C is the correct answer.Option A is incorrect because a privacy dashboard notice is a type of notice that provides the user with a centralised and interactive overview of the processing of their data, and allows them to manage their privacy settings and preferences1.Option B is incorrect because a visualization notice is a type of notice that uses graphical elements, such as icons, symbols, colours, or animations, to convey the processing information in a more intuitive and engaging way1.Option D is incorrect because a layered notice is a type of notice that provides the processing information in a hierarchical and modular way, starting with the most essential information and allowing the user to access more details if they wish1.Reference:

What's new in WP29's final guidelines on transparency?

IAPP CIPP-E Certified Information Privacy Professional/Europe Exam Practice Test