CIPP-E Online Practice Questions and Answers

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend's daughter, Alice, who just graduated from law school in the US., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

A. Notify its Data Protection Authority about the data breach.

B. Analyze and evaluate the liability for customers in Ireland.

C. Analyze and evaluate all of its breach notification obligations.

D. Notify all of its customers that reside in the European Union.

SCENARIO Please use the following to answer the next question: Zandelay Fashion (`Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the

company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial

information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases.

Martin tells the CEO that:

(a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities. What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

A. Information about DPIAs found in Articles 38 through 40 of the GDPR.

B. Data breach documentation that data controllers are required to maintain.

C. Existing DPIA guides published by local supervisory authorities.

D. Records of processing activities that data controllers are required to maintain.

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

A. Employees must sign an ad hoc contractual agreement each time personal data is exported.

B. All employees are subject to the rules in their entirety, regardless of where the work is taking place.

C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

With the issue of consent, the GDPR allows member states some choice regarding what?

A. The mechanisms through which consent may be communicated

B. The circumstances in which silence or inactivity may constitute consent

C. The age at which children must be required to obtain parental consent

D. The timeframe in which data subjects are allowed to withdraw their consent

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

A. Inform the subjects about the collection

B. Provide a public notice regarding the data

C. Upgrade security to match that of the source

D. Update the data within a reasonable timeframe

According to the Personal Data Protection Commission's (PDPC) “Guide to basic data anonymization techniques,” recently adopted by the Spanish Data Protection Agency, which of the following is NOT a valid basic anonymization technique?

A. Swapping.

B. Generalization.

C. Data Adjustment.

D. Attribute Suppression.

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO, Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage's global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments. The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized in New Delhi. Unable to reach Ruth's family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR, provided information to the doctors based on accommodation requests Ruth made when she started at ProStorage.

In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and on boarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both vendors, she determined that InstaHR satisfied more of the requirements as it boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance. a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-loend encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.

What transfer mechanism should Jackie recommend for using InstaHR?

A. Adequacy

B. Binding corporate rules.

C. Explicit consent of employees.

D. Standard contractual clauses

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

A. The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.

B. Adequacy determinations automatically lapse when a Member State leaves the EU.

C. The UK is now a third country because it's no longer subject to the GDPR.

D. The UK is less trustworthy now that its not part of the Union.

Article 58 of the GDPR describes the powers of supervisory authorities. Which of the following is NOT among those granted?

A. Legislative powers.

B. Corrective powers.

C. Investigatory powers.

D. Authorization and advisory powers.

According to Art. 23 GDPR, which of the following data subject rights can NOT be restricted?

A. Right to restriction of processing.

B. Right to erasure ("Right to be forgotten").

C. Right to lodge a complaint with a supervisory authority.

D. Right not to be subject to automated individual decision-making.