CIPP-E Online Practice Questions and Answers

Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?

A. The personal dale has been collected in relation to the offer of Information society services (ISS) to a child.

B. The data subject withdraws consent and there is no other legal basis for the processing.

C. The personal data is no longer necessary in relation to the search engine provider's processing

D. The processing s necessary for exercising the right of freedom of expression and information

SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app

and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user

consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.

Registration Form

Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already

have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with

your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third-party without a

customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name:

Surname:

Year of birth:

Email:

Physical Address (optional*):

Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can

unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. [...]

2.Applicable law. [...]

3.Limitation of liability. [...]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of

any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company

may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

What is one potential problem Vigotron's age policy might encounter under the GDPR?

A. Age restrictions are more stringent when health data is involved.

B. Users are only required to be aged 13 or over to be considered adults.

C. Organizations must make reasonable efforts to verify parental consent.

D. Organizations that tie a service to marketing must seek consent for each purpose.

Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

A. The data subject already has information regarding how his data will be used

B. The provision of such information to the data subject would be too problematic

C. Third-party data would be disclosed by providing such information to the data subject

D. The processing of the data subject's data is protected by appropriate technical measures

In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

A. When she is leaving her bank and moving to another bank.

B. When she has recently changed jobs and no longer works for the same company.

C. When she disagrees with a diagnosis her doctor has recorded on her records.

D. When she no longer wishes to be sent marketing materials from an organization.

If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?

A. 1 month.

B. 3 months.

C. 5 months.

D. 12 months.

Higher fines are assessed for GDPR violations due to which of the following?

A. Failure to notify a supervisory authority and data subjects of a personal data breach

B. Violations of a data controller's obligations to obtain a child's consent

C. Failure to appoint a data protection officer.

D. Violations of a data subject"s rights

SCENARIO

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a

dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring

compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared

with the national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While

providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.

The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central

database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The

assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.

All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data

is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is

required by the company. There is no data processing agreement between AWS and the company.

Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

A. The terms of service shall also enumerate all applicable anti-money laundering few.

B. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

C. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

D. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

Why is the additional measure recommended by Jackie sufficient foe using UpFinance?

A. UpFinance is an established 7-year-old business.

B. UpFinance is in a highly regulated financial industry

C. UpFinance is based in a country without surveillance laws.

D. UpFinance implements sufficient data protection measures

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources

office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:

1.

Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas

2.

Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached

3.

Grants a unique ID number for participating in the games and contests that have been planned.

Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival

costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:

1.

The lack of any privacy notice in the separate photocall area

2.

The unlawful cross-border processing of his personal data

3.

The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether the processing could be considered a "cross-border processing"?

A. The total number of the data subjects interested.

B. The potential harm for the data subjects affected.

C. The limitation of rights of the data subjects concerned.

D. The exposure of the information of the data subjects involved.

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

A. Data Subject Rights.

B. Right of Action.

C. Necessity.

D. Consent.