CIPP-E Online Practice Questions and Answers
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?
A. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
B. Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce.
C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
D. Where the DPIA identifies risks that will require insurance for protecting its business interests.
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?
A. Documenting due diligence steps taken in the pre-contractual stage.
B. Conducting a risk assessment to analyze possible outsourcing threats.
C. Requiring that the processor directly notify the appropriate supervisory authority.
D. Maintaining evidence that the processor was the best possible market choice available.
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
A. The controller will be liable to pay an administrative fine
B. The processor will be liable to pay compensation to affected data subjects
C. The processor will be considered to be a controller in respect of the processing concerned
D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
The Planet 49 CJEU Judgement applies to?
A. Cookies used only by third parties.
B. Cookies that are deemed technically necessary.
C. Cookies regardless of whether the data accessed is personal or not.
D. Cookies where the data accessed is considered as personal data only.
Which type of personal data does the GDPR define as a "special category" of personal data?
A. Educational history.
B. Trade-union membership.
C. Closed Circuit Television (CCTV) footage.
D. Financial information.
An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual's personal data. Which of the following best explain why this practice would NOT be subject to the GDPR?
A. Body temperature is not considered personal data.
B. The practice does not involve completion by automated means.
C. Body temperature is considered pseudonymous data.
D. The practice is for the purpose of alleviating extreme risks to public health.
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?
A. Yes, because MagicClean is processing data in the EU
B. Yes. because MagicClean's data processing agreement with the French processor is an establishment in the EU
C. No, because MagicClean is located m the United States only.
D. No. because MagicClean is not offering services to EU data subjects.
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?
A. The local Data Protection Supervisory Authorities.
B. The European Data Protection Board.
C. The EU Commission.
D. The Member States.
Pursuant to Article 17 and EDPB Guidelines 5/2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?
A. The personal data has been collected in relation to the offer of information society services (ISS) to a child.
B. The data subject withdraws consent and there is no other legal basis for the processing.
C. The personal data is no longer necessary in relation to the search engine provider's processing.
D. The processing is necessary for exercising the right of freedom of expression and information.
If a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements?
A. Notify the police and file a criminal complaint about the incident.
B. Start an investigation to understand the incident's possible scope, duration and nature.
C. Send a notification to the competent supervisory authority describing the incident.
D. Send an email about the incident to all clients and ask them to change their passwords.