IAPP CIPP-E Exam Practice Test Instant Access

Question 1

In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

AAdopting a risk-based approach and implementing supplementary measures as needed.

BEnsuring that all data transfers are encrypted with unbreakable encryption algorithms.

CObtaining explicit consent from each EU citizen for every individual data transfer.

DStoring all personal data within the borders of the European Union.

Answer : A

Question 2

You are the new Data Protection Officer for your company and have to determine whether the company has implemented appropriate technical and organizational measures as required by Article 32 of the GDPR. Which of the following would be the most important to consider when trying to determine this?

AHow security measures might evolve in the future

BWhich security measures are endorsed by a majority of experts.

CHow the public perceives what constitutes adequate security measures

DWhich kinds of security measures your company has employed in the past

Answer : C

Question 3

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

AThey are allowed if determined to be technically necessary.

BThey do not amount to valid consent under any circumstances.

CThey are allowed if recorded In the register of processing activities.

DThey constitute valid consent if the processing is necessary for purposes of legitimate interest

Answer : D

Question 4

After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company notify first under GDPR requirements?

AAny parents of children whose personal data was compromised.

BAny affected customers whose data was compromised.

CA competent supervisory authority.

DA local law enforcement agency

Answer : B

Question 5

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

AOutside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

BWithin the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

CWithin the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

DOutside the material scope of the GDPR, because transactions are for personal or household purposes

Answer : C

Question 6

A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?

AObtain specific consent for the new processing

BOnly inform the data subjects of the new purpose.

CProceed no further, as such repurposing is unlawful

DUpdate the privacy notice upon which consent was given

Answer : A

According to the GDPR, consent is one of the lawful bases for processing personal data1.Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2.Therefore, consent must be specific to each purpose of processing and cannot be bundled with other purposes3.If a company wants to use personal data for a new purpose that is not compatible with the original purpose for which consent was given, it must obtain a new consent from the data subjects for the new processing4. Simply informing the data subjects of the new purpose or updating the privacy notice is not sufficient, as it does not imply the data subject's agreement to the new processing.Proceeding with the new processing without obtaining a new consent would be unlawful and could result in fines and sanctions5.Reference:

Free CIPP/E Study Guide, page 23, section 4.1.1

GDPR, Article 4 (11)

GDPR, Recital 32

GDPR, Article 6 (4)

GDPR, Article 83 (5) (a)

Question 7

A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.

Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?

APayments cannot be made in a European Union currency.

BThe controller does not have an establishment in the European Union.

CThe website is not available in several official languages of European Un on Member States

DThe website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.

Answer : A

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not1. This means that the GDPR applies to any controller or processor that has a branch, office, subsidiary, or other stable arrangement in the EU, even if the data processing occurs outside the EU.However, the GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union1. This means that the GDPR applies to any controller or processor that targets or tracks EU data subjects, even if they do not have a presence in the EU. In this case, the website operator is not required to comply with the GDPR because it does not have an establishment in the EU (option B), and it does not offer goods or services or monitor the behaviour of EU data subjects. The website operator reports primarily on North American events, does not block connections from outside the U.S., and only accepts payments in U.S. dollars, which indicate that it does not intend to target or track EU data subjects. Therefore, option B is the correct answer.Reference:Art. 3 GDPR -- Territorial scope,Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), [What does territorial scope mean under the GDPR?]

IAPP Certified Information Privacy Professional/Europe Exam Practice Test