This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPP-E.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) According to the General Data Protection Regulation (GDPR), when does an organisation need to take action to legitimise cross-border data transfers of personal data?

2) The GDPR and its predecessor, the Data Protection Directive 95/46/EC, were allowed to be set up as a harmonisation measure for European member states by which?

3) Which is an example of direct marketing?

4) The e-Privacy Directive 2002/58/EC contains which provision?

5) Which statement describes a European best practices approach to the protection of employment data held by an organisation?

6) When should a controller notify the supervisory authority of a loss of personal information which is likely to result in harm to an individual?

7) Under what condition may the processing ‘sensitive employee data’ be acceptable?

8) Under the GDPR, which term is defined as ‘any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’?

9) Why do Binding Corporate Rules (BCRs) prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services?

10) Along with the name and contact details of the data controller processing the personal data, what other information must be included in the records of processing to be maintained by the data controller under the GDPR?

11) Which statement is correct concerning the information to be provided when collecting personal data directly from the data subject?

12) Under the GDPR, would a European company be allowed to use video surveillance to monitor employee access to inventory?

13) Which institution is responsible for ensuring that directives are implemented properly by the member states?

14) What is true for a contract based on European Commission (EC) Standard Contractual Clauses with a processor outside the European Economic Area?

15) Which type of data subject is NOT covered by the GDPR?

16) Please use the following information to answer the next question:

Rob, a former employee of the Tea & Biscuits Corporation (a U.S.-based multi-national) has hand-delivered a letter to the Reception of the Irish Subsidiary, on May 1. Rob asked for a copy of all data that Tea & Biscuits Corporation holds about him from the start of his employment with them over 18 years ago, including all email correspondence about him from his past three managers, and anyone from the HR Department. Rob has included a copy of his passport, his old employee identification number, and his current address. 

One of Rob's previous managers was made redundant at the same time as Rob; another has re-located to Tea & Biscuits Singapore office. The receptionist was not sure what to do with the letter, so she sent it via internal mail to the Facilities Manager who was out of the office on holiday until May 5. The Facilities Manager sent it to the HR Manager who is very busy on a new redundancy program. The HR Manager emailed the legal team to ask what he should do with the letter on May 21. The local Irish lawyers got back to the HR Manager on May 25 and suggested that the HR Manager get in touch with Rob immediately and tell him that his issue has been looked into.

Question: 

What should Tea & Biscuits do before responding to Rob with the information he has requested?

17) Please use the following information to answer the next question:

Rob, a former employee of the Tea & Biscuits Corporation (a U.S.-based multi-national) has hand-delivered a letter to the Reception of the Irish Subsidiary, on May 1. Rob asked for a copy of all data that Tea & Biscuits Corporation holds about him from the start of his employment with them over 18 years ago, including all email correspondence about him from his past three managers, and anyone from the HR Department. Rob has included a copy of his passport, his old employee identification number, and his current address. 

One of Rob's previous managers was made redundant at the same time as Rob; another has re-located to Tea & Biscuits Singapore office. The receptionist was not sure what to do with the letter, so she sent it via internal mail to the Facilities Manager who was out of the office on holiday until May 5. The Facilities Manager sent it to the HR Manager who is very busy on a new redundancy program. The HR Manager emailed the legal team to ask what he should do with the letter on May 21. The local Irish lawyers got back to the HR Manager on May 25 and suggested that the HR Manager get in touch with Rob immediately and tell him that his issue has been looked into.



Question:

What is the time period within which Tea & Biscuits Corporation needs to respond to the data subject?

18) Please use the following information to answer the next question:

Rob, a former employee of the Tea & Biscuits Corporation (a U.S.-based multi-national) has hand-delivered a letter to the Reception of the Irish Subsidiary, on May 1. Rob asked for a copy of all data that Tea & Biscuits Corporation holds about him from the start of his employment with them over 18 years ago, including all email correspondence about him from his past three managers, and anyone from the HR Department. Rob has included a copy of his passport, his old employee identification number, and his current address. 



One of Rob's previous managers was made redundant at the same time as Rob; another has re-located to Tea & Biscuits Singapore office. The receptionist was not sure what to do with the letter, so she sent it via internal mail to the Facilities Manager who was out of the office on holiday until May 5. The Facilities Manager sent it to the HR Manager who is very busy on a new redundancy program. The HR Manager emailed the legal team to ask what he should do with the letter on May 21. The local Irish lawyers got back to the HR Manager on May 25 and suggested that the HR Manager get in touch with Rob immediately and tell him that his issue has been looked into.



Question:
What should Tea & Biscuits do next to respond to Rob's request for email?

19) Which of the following is not covered in the 3-part test of the Legitimate Interest Assessment?

20) How is an employer obliged to proceed before engaging in the general monitoring of email traffic and internet use of all of its employees?

21) Which is NOT a compatible purpose for processing data beyond the purpose originally specified at the time of collection?

22) Along with legitimacy, what is another condition that must be met when carrying out employee monitoring?

23) Which is an example of cloud computing?

24) According to the GDPR, the right to data portability applies:

25) The collection is part of a historical research initiative. Which is the most accurate statement concerning the obligations imposed by the GDPR?

26) Which of the following will NOT be considered as direct marketing?

27) Which, according to the GDPR, is NOT one of the considerations that should be taken into account to determine the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk?

28) Which is NOT a special category of data?

29) Which institution has the power to adopt adequacy findings for the European Union?

30) Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to send electronic marketing information?

31) Which of the following is NOT one of the cases where Processors and Controllers must appoint a DPO?

32) According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the approval of which two European Institutions?

33) When would a data subject have the right to require the erasure of his or her data without undue delay?

34) In which case should a data subject’s consent be regarded as freely given under the GDPR?

35) Which of the following lists the attribute of security controls?

36) An online furniture store requires customers to consent to their details being shared with other homeware stores as part of the checkout process. The store is making consent a condition of sale – in order to share the data with other stores, which is not necessary for that sale.

This means consent is:

37) Which of the following is a responsibility of the European Data Protection Board?

38) Which of the following is not part of the responsibilities of a Local Data Protection Supervisory Authority?

39) Please use the following information to answer the next question:

A hotel in Cornwall takes direct bookings from individuals across Europe, which includes their names, addresses and other personal information. It receives personal data from those individuals and sends personal data back to them.

The hotel also uses a marketing company that makes bookings online on behalf of the hotel. This marketing company is based in France and uses a cloud IT service of a US based provider to store customers details.

Recently there was a data breach when the US provider's servers were hacked.


Question:

Which of the following should occur following the breach?

40) Please use the following information to answer the next question:

A hotel in Cornwall takes direct bookings from individuals across Europe, which includes their names, addresses and other personal information. It receives personal data from those individuals and sends personal data back to them.

The hotel also uses a marketing company that makes bookings online on behalf of the hotel. This marketing company is based in France and uses a cloud IT service of a US based provider to store customers details.

Recently there was a data breach when the US provider's servers were hacked.

Question:

Which of the following should NOT be included in the Hotel's Record of Processing Activities.

41) Please use the following information to answer the next question:

A hotel in Cornwall takes direct bookings from individuals across Europe, which includes their names, addresses and other personal information. It receives personal data from those individuals and sends personal data back to them.

The hotel also uses a marketing company that makes bookings online on behalf of the hotel. This marketing company is based in France and uses a cloud IT service of a US based provider to store customers details.

Recently there was a data breach when the US provider's servers were hacked.

Question:

What should be included in the Record of Processing Activities of the marketing company?

42) Please use the following information to answer the next question:

A company based in France passes employee information to a centralised group human resources service provided by its parent company in Germany.

 

The company is considering transferring their HR operations to their office in Israel. The company is also considering opening an office in China, UK and Austria and it is expected that there would be regular transfer across between all offices.


Question:

Which of the following statements is correct?

43) Please use the following information to answer the next question:

A company based in France passes employee information to a centralised group human resources service provided by its parent company in Germany.

 

The company is considering transferring their HR operations to their office in Israel. The company is also considering opening an office in China, UK and Austria and it is expected that there would be regular transfer across between all offices.



Question:

What would you recommend the company does, in order to ensure cross-border data transfer under the GDPR?

44) Which of the following controller/processing scenarios in principle CAN use the Public Interest legal basis?

45) Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology?

46) Under the GDPR in which of the following situations are there derogations, where each member state can make adjustment to their national laws.

47) Which of the following is NOT categorically one of the types of Privacy?

48) While implementing certain data subject rights the controller is obliged by Article 19 to inform each third party recipient of the personal data. For which of the following rights does this apply?

49) Please use the following to answer the next question:


An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicates they agree to their name and contact number being processed for the purposes of the prize draw. However, this consent does not extend to using those details for marketing BUT the coffee shop has used the details to send out Christmas Promotions and vouchers.


Question:

The act of the coffee shop is in violation of which of the GDPR Principles?

50) Please use the following to answer the next question:


An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicates they agree to their name and contact number being processed for the purposes of the prize draw. However, this consent does not extend to using those details for marketing BUT the coffee shop has used the details to send out Christmas Promotions and vouchers.


Question:

The violation of the GDPR Principle(s) may lead to a penalty of what?