This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPP-E.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) If a company is planning to use closed-circuit television (CCTV') on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

2) What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

3) Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

4) Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

5) Which area of privacy is a lead supervisory authority's (SA) MAIN concern?

Please use the following to answer the next question:

Triangulate Inc. is a multinational company, headquartered in New Jersey with offices throughout the United States, Asia. and Europe (including France, Spain, Sweden and Portugal)_ Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called FirstSecurity, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates.

However, this software also provides other features, including the monitoring of employees' computers. Since these measures would potentially impact employees. Triangulate's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use FirstSecurity to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Spain was daily connecting to a video library of movies, and another one from France worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Spain was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

6) What would be the MOST APPROPRIATE way for Triangulate to handle the situation with the employee from Spain?

Please use the following to answer the next question:

Triangulate Inc. is a multinational company, headquartered in New Jersey with offices throughout the United States, Asia. and Europe (including France, Spain, Sweden and Portugal)_ Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called FirstSecurity, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates.

However, this software also provides other features, including the monitoring of employees' computers. Since these measures would potentially impact employees. Triangulate's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use FirstSecurity to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Spain was daily connecting to a video library of movies, and another one from France worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Spain was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

7) Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

Please use the following to answer the next question:

Triangulate Inc. is a multinational company, headquartered in New Jersey with offices throughout the United States, Asia. and Europe (including France, Spain, Sweden and Portugal)_ Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called FirstSecurity, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates.

However, this software also provides other features, including the monitoring of employees' computers. Since these measures would potentially impact employees. Triangulate's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use FirstSecurity to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Spain was daily connecting to a video library of movies, and another one from France worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Spain was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

8) To comply with the GDPR, what should Triangulate have done as a first step before implementing the SecurityFirst measure?

Please use the following to answer the next question:

Triangulate Inc. is a multinational company, headquartered in New Jersey with offices throughout the United States, Asia. and Europe (including France, Spain, Sweden and Portugal)_ Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called FirstSecurity, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates.

However, this software also provides other features, including the monitoring of employees' computers. Since these measures would potentially impact employees. Triangulate's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use FirstSecurity to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Spain was daily connecting to a video library of movies, and another one from France worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Spain was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

9) Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

Please use the following to answer the next question:

Triangulate Inc. is a multinational company, headquartered in New Jersey with offices throughout the United States, Asia. and Europe (including France, Spain, Sweden and Portugal)_ Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called FirstSecurity, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates.

However, this software also provides other features, including the monitoring of employees' computers. Since these measures would potentially impact employees. Triangulate's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use FirstSecurity to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Spain was daily connecting to a video library of movies, and another one from France worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Spain was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

10) In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Triangulate have provided them before implementing the security measures?

Please use the following to answer the next question:

Mariam and Rob both work at Hallow College. Mariam is a lawyer responsible for data protection, while Rob is a lecturer in the engineering department. The College maintains a number of types of records:

  • Student records, including names, student numbers, home addresses, pre-College information, College attendance and performance records, details of special educational needs and financial information
  • Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
  • Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Hallow’s Alumni portal
  • Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
  • Under their security policy, the College encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Rob wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Mariam's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time College attended. He wants to keep the records at the individual student level. Mindful of Mariam's training, Rob runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Mariam's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, Rob informs Mariam about his performance database.

Ann explains to Rob that, as well as minimizing personal data, the College has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Mariam arranges to discuss this further with Rob after she has done some additional research.

Rob wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Rob takes the laptop into the College he loses it on the train. Rob has to see Mariam that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Mariam about his lost laptop at the same time.

11) Mariam will find that a risk analysis is NOT necessary in this situation as long as?

Please use the following to answer the next question:

Mariam and Rob both work at Hallow College. Mariam is a lawyer responsible for data protection, while Rob is a lecturer in the engineering department. The College maintains a number of types of records:

  • Student records, including names, student numbers, home addresses, pre-College information, College attendance and performance records, details of special educational needs and financial information
  • Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
  • Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Hallow’s Alumni portal
  • Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
  • Under their security policy, the College encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Rob wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Mariam's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time College attended. He wants to keep the records at the individual student level. Mindful of Mariam's training, Rob runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Mariam's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, Rob informs Mariam about his performance database.

Ann explains to Rob that, as well as minimizing personal data, the College has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Mariam arranges to discuss this further with Rob after she has done some additional research.

Rob wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Rob takes the laptop into the College he loses it on the train. Rob has to see Mariam that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Mariam about his lost laptop at the same time.

12) An unforeseen power outage results in company’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, the company should do which of the following?

Please use the following to answer the next question:

Mariam and Rob both work at Hallow College. Mariam is a lawyer responsible for data protection, while Rob is a lecturer in the engineering department. The College maintains a number of types of records:

  • Student records, including names, student numbers, home addresses, pre-College information, College attendance and performance records, details of special educational needs and financial information
  • Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
  • Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Hallow’s Alumni portal
  • Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
  • Under their security policy, the College encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Rob wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Mariam's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time College attended. He wants to keep the records at the individual student level. Mindful of Mariam's training, Rob runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Mariam's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, Rob informs Mariam about his performance database.

Ann explains to Rob that, as well as minimizing personal data, the College has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Mariam arranges to discuss this further with Rob after she has done some additional research.

Rob wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Rob takes the laptop into the College he loses it on the train. Rob has to see Mariam that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Mariam about his lost laptop at the same time.

13) Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

Read the following steps:

  • Discover which employees are accessing cloud services and from which devices and apps
  • Lock down the data in those apps and devices
  • Monitor and analyze the apps and devices for compliance
  • Manage application life cycles
  • Monitor data sharing

14) An organization should perform these steps to do which of the following?

Please use the following to answer the next question:

Potters Bar, a golf club, which Micheal has membership has branches across the UK and EU. It’s main establishment is in Spain. Michael resides in Derry, Northern Ireland (part of the U.K.), he travels to work in Lough Foyle, Ireland. During a Potters Bar golf tournament in Stockholm, Sweden Michael gave his consent to being included in a photograph, he was informed that it would be used for promotional purposes only. Since then the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. The golf club however has  gained some notoriety as a result to ill treatment of members at several branches of the club in other EU member states. Due to this Michael no longer feels comfortable with his photograph being publicly associated with the golf club.

 

Michael's attempts to make an appointment and discuss the issue with his local branch manager was unsuccessful. He then makes a written  request to Potters Bar in a bid that his image be pulled down from the website and all forms of publicity. Several months went by and Potters Bar failed to address Michael’s request which led him to become quite concerned and prompted him to take action.

15) Michael contacts the U.K. Information Commissioner's Office ('ICO' — the UK's supervisory authority) to lodge a complaint about this matter. Under the cooperation mechanism, what should the lead authority (AEPD) do after it has formed its view on the matter?

Please use the following to answer the next question:

Potters Bar, a golf club, which Micheal has membership has branches across the UK and EU. It’s main establishment is in Spain. Michael resides in Derry, Northern Ireland (part of the U.K.), he travels to work in Lough Foyle, Ireland. During a Potters Bar golf tournament in Stockholm, Sweden Michael gave his consent to being included in a photograph, he was informed that it would be used for promotional purposes only. Since then the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. The golf club however has  gained some notoriety as a result to ill treatment of members at several branches of the club in other EU member states. Due to this Michael no longer feels comfortable with his photograph being publicly associated with the golf club.

 

Michael's attempts to make an appointment and discuss the issue with his local branch manager was unsuccessful. He then makes a written  request to Potters Bar in a bid that his image be pulled down from the website and all forms of publicity. Several months went by and Potters Bar failed to address Michael’s request which led him to become quite concerned and prompted him to take action.

16) Assuming that multiple Potters Bar branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Michael's request, how may Michael proceed in order to seek compensation?

Please use the following to answer the next question:

Potters Bar, a golf club, which Micheal has membership has branches across the UK and EU. It’s main establishment is in Spain. Michael resides in Derry, Northern Ireland (part of the U.K.), he travels to work in Lough Foyle, Ireland. During a Potters Bar golf tournament in Stockholm, Sweden Michael gave his consent to being included in a photograph, he was informed that it would be used for promotional purposes only. Since then the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. The golf club however has  gained some notoriety as a result to ill treatment of members at several branches of the club in other EU member states. Due to this Michael no longer feels comfortable with his photograph being publicly associated with the golf club.

 

Michael's attempts to make an appointment and discuss the issue with his local branch manager was unsuccessful. He then makes a written  request to Potters Bar in a bid that his image be pulled down from the website and all forms of publicity. Several months went by and Potters Bar failed to address Michael’s request which led him to become quite concerned and prompted him to take action.

17) In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

Please use the following to answer the next question:

Zoro, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe- Anxious to achieve market dominance, Zoro teamed up with another eco friendly company, TeraWorld, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Zoro and TeraWorld entered into a data sharing agreement to use the same marketing database, PromoChimp, to send the campaigns to their respective contacts.

Zoro and TeraWorld also entered into a data processing agreement with PromoChimp, the terms of which included processing personal data only upon Liern and TeraWorld's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Zoro and TeraWorld then procured the services of a company called E-List. a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide E-List with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data. E-List implements the technical and organizational measures it deems appropriate- E-List works to continually improve its machine leaming models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. E-List then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, E-List does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, E-List pseudonymizes the personal data by removing identing information from the contact information E-List's engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Zoro and TeraWorld, E-List received access to PromoChimp, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most Views of the two companies' websites. A prior Zoro customer, Mr Paige, received a marketing campaign from E-List regarding Zoro's as well as TeraWorld's latest products. While Mr Paige recalls checking a box to receive information in the future regarding Zoro's products, he has never shopped TeraWorld, nor provided his personal data to that company.

18) Why would the consent provided by Mr Paige NOT be considered valid in regard to E-List?

Please use the following to answer the next question:

Zoro, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe- Anxious to achieve market dominance, Zoro teamed up with another eco friendly company, TeraWorld, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Zoro and TeraWorld entered into a data sharing agreement to use the same marketing database, PromoChimp, to send the campaigns to their respective contacts.

Zoro and TeraWorld also entered into a data processing agreement with PromoChimp, the terms of which included processing personal data only upon Liern and TeraWorld's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Zoro and TeraWorld then procured the services of a company called E-List. a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide E-List with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data. E-List implements the technical and organizational measures it deems appropriate- E-List works to continually improve its machine leaming models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. E-List then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, E-List does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, E-List pseudonymizes the personal data by removing identing information from the contact information E-List's engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Zoro and TeraWorld, E-List received access to PromoChimp, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most Views of the two companies' websites. A prior Zoro customer, Mr Paige, received a marketing campaign from E-List regarding Zoro's as well as TeraWorld's latest products. While Mr Paige recalls checking a box to receive information in the future regarding Zoro's products, he has never shopped TeraWorld, nor provided his personal data to that company.

19) Under the GDPR, Zoro and TeraWorld's contract with PromoChimp must include all of the following provisions EXCEPT?

20) Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

21)What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

22) In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

Please use the following to answer the next question:

ABC World is a successful international online toy shop that employs approximately 900 people at its headquarters based in France. Julien is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both toys and gadgets for male and female across all age demographics, including adults. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Matt, the CIO, tells Julien that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Julien tells the CIO that: (a) the potential risks of such activities means that ABC World needs to carry out a data protection impact assessment to assess this new venture and its privacy implications: and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, ABC World may have to undertake a prior consultation with the CNIL, the French Data Protection Commissioner before implementing the app and loyalty scheme.

Matt tells Julien that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of ABC World's business plan and associated processing activities.

23) What would MOST effectively assist ABC World in conducting their data protection impact assessment?

Please use the following to answer the next question:

ABC World is a successful international online toy shop that employs approximately 900 people at its headquarters based in France. Julien is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both toys and gadgets for male and female across all age demographics, including adults. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Matt, the CIO, tells Julien that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Julien tells the CIO that: (a) the potential risks of such activities means that ABC World needs to carry out a data protection impact assessment to assess this new venture and its privacy implications: and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, ABC World may have to undertake a prior consultation with the CNIL, the French Data Protection Commissioner before implementing the app and loyalty scheme.

Matt tells Julien that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of ABC World's business plan and associated processing activities.

24) What must ABC World provide to the supervisory authority during the prior consultation?

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Indonesia. The company sells a broad range of action figures and dolls that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Indonesia and in fact does not employ any staff outside Indonesia, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.

The company now wishes to launch a new range of connected toys. ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing. due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question. the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers. making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in Russia. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel. the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life on screen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

25) In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Indonesia. The company sells a broad range of action figures and dolls that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Indonesia and in fact does not employ any staff outside Indonesia, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.

The company now wishes to launch a new range of connected toys. ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing. due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question. the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers. making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in Russia. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel. the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life on screen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

26) To ensure GDPR compliance, what should be the company's position on the issue of consent?

27) Why is it advisable to avoid consent as a legal basis for an employer to process employee data?

Please use the following to answer the next question:

Greg, a long-time customer of XERO insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Greg has been plagued by texts and calls from a company called Mobo Insurance offering to help him recover compensation for personal injury Greg has heard about insurance companies selling customers' data to third parties, and he's convinced that Mobo must have gotten his information from XERO.

Greg has also been receiving an increased amount of marketing information from XERO, trying to sell him their full range of their insurance policies.

Perturbed by this, Greg has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than XERO, even though he has been a loyal customer for many years. When his XERO policy comes up for renewal. he decides to switch to Alliance Insurance. In order to activate his new insurance policy, Greg needs to supply Alliance with information about his No Claims bonus. his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask XERO to transfer his information directly to Alliance. He also takes this opportunity to ask XERO to stop using his personal data for marketing purposes.

XERO supplies Greg with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Greg it cannot transfer his data directly to Alliance at this is not technically feasible. XERO also explains that Greg's contract included a provision whereby Greg agreed that his data could be used for marketing purposes; according to XERO, it is too late for Greg to change his mind about this. It angers Greg when he recalls the wording of the contract, which was filled with legal Jargon and very confusing. In the meantime, Greg is still receiving unwanted calls from Mobo Insurance. He writes to Mobo to ask for the name of the organization that supplied his details to them. He warns Mobo that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Mobo's response letter confirms Greg's suspicions. Mobo is XERO's wholly owned subsidiary, and they received information about Greg's accident from XERO shortly after Greg submitted his accident claim. Mobo assures Greg that there has been no breach of the GDPR, as Greg's contract included a provision in which he agreed to share his information with XERO's affiliates for business purposes.

Greg is disgusted by the way in which he has been treated by XERO, and writes to them insisting that all his information be erased from their computer system.

28) After Greg has exercised his right to restrict the use of his data, under what conditions would Mobo have grounds for refusing to comply?

Please use the following to answer the next question:

Greg, a long-time customer of XERO insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Greg has been plagued by texts and calls from a company called Mobo Insurance offering to help him recover compensation for personal injury Greg has heard about insurance companies selling customers' data to third parties, and he's convinced that Mobo must have gotten his information from XERO.

Greg has also been receiving an increased amount of marketing information from XERO, trying to sell him their full range of their insurance policies.

Perturbed by this, Greg has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than XERO, even though he has been a loyal customer for many years. When his XERO policy comes up for renewal. he decides to switch to Alliance Insurance. In order to activate his new insurance policy, Greg needs to supply Alliance with information about his No Claims bonus. his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask XERO to transfer his information directly to Alliance. He also takes this opportunity to ask XERO to stop using his personal data for marketing purposes.

XERO supplies Greg with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Greg it cannot transfer his data directly to Alliance at this is not technically feasible. XERO also explains that Greg's contract included a provision whereby Greg agreed that his data could be used for marketing purposes; according to XERO, it is too late for Greg to change his mind about this. It angers Greg when he recalls the wording of the contract, which was filled with legal Jargon and very confusing. In the meantime, Greg is still receiving unwanted calls from Mobo Insurance. He writes to Mobo to ask for the name of the organization that supplied his details to them. He warns Mobo that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Mobo's response letter confirms Greg's suspicions. Mobo is XERO's wholly owned subsidiary, and they received information about Greg's accident from XERO shortly after Greg submitted his accident claim. Mobo assures Greg that there has been no breach of the GDPR, as Greg's contract included a provision in which he agreed to share his information with XERO's affiliates for business purposes.

Greg is disgusted by the way in which he has been treated by XERO, and writes to them insisting that all his information be erased from their computer system.

29) What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

30) A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

31) What is the MAIN reason GDPR Article 4(22) establishes the concept of the concerned supervisory authority'?

Please use the following to answer the next question:

Zoro, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe- Anxious to achieve market dominance, Zoro teamed up with another eco friendly company, TeraWorld, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Zoro and TeraWorld entered into a data sharing agreement to use the same marketing database, PromoChimp, to send the campaigns to their respective contacts.

Zoro and TeraWorld also entered into a data processing agreement with PromoChimp, the terms of which included processing personal data only upon Liern and TeraWorld's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Zoro and TeraWorld then procured the services of a company called E-List. a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide E-List with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data. E-List implements the technical and organizational measures it deems appropriate- E-List works to continually improve its machine leaming models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. E-List then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, E-List does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, E-List pseudonymizes the personal data by removing identing information from the contact information E-List's engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Zoro and TeraWorld, E-List received access to PromoChimp, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most Views of the two companies' websites. A prior Zoro customer, Mr Paige, received a marketing campaign from E-List regarding Zoro's as well as TeraWorld's latest products. While Mr Paige recalls checking a box to receive information in the future regarding Zoro's products, he has never shopped TeraWorld, nor provided his personal data to that company.

32) E-List's use of pseudonymization is NOT in compliance with the GDPR because?

Please use the following to answer the next question:

Zoro, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe- Anxious to achieve market dominance, Zoro teamed up with another eco friendly company, TeraWorld, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Zoro and TeraWorld entered into a data sharing agreement to use the same marketing database, PromoChimp, to send the campaigns to their respective contacts.

Zoro and TeraWorld also entered into a data processing agreement with PromoChimp, the terms of which included processing personal data only upon Liern and TeraWorld's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Zoro and TeraWorld then procured the services of a company called E-List. a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide E-List with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data. E-List implements the technical and organizational measures it deems appropriate- E-List works to continually improve its machine leaming models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. E-List then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, E-List does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, E-List pseudonymizes the personal data by removing identing information from the contact information E-List's engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Zoro and TeraWorld, E-List received access to PromoChimp, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most Views of the two companies' websites. A prior Zoro customer, Mr Paige, received a marketing campaign from E-List regarding Zoro's as well as TeraWorld's latest products. While Mr Paige recalls checking a box to receive information in the future regarding Zoro's products, he has never shopped TeraWorld, nor provided his personal data to that company.

33) For what reason would E-List be considered a controller under the GDPR?

34) What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

35) If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

36) Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

37) Which of the following would require designating a data protection officer?

38) How does the GDPR now define processing'?

39) The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

40) Assuming that the without undue delay' provision is followed, what is the time limit for complying with a data access request?

41) Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

42) Which of the following BEST described the EU Data Protection Model?

43) Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

44) Which of the following controller/processing scenarios in principle CAN use the Public Interest legal basis?

45) Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology?

46) Under the GDPR in which of the following situations are there derogations, where each member state can make adjustment to their national laws.

47) Which of the following is NOT categorically one of the types of Privacy?

48) While implementing certain data subject rights the controller is obliged by Article 19 to inform each third party recipient of the personal data. For which of the following rights does this apply?

Please use the following to answer the next question:

An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicates they agree to their name and contact number being processed for the purposes of the prize draw. However, this consent does not extend to using those details for marketing BUT the coffee shop has used the details to send out Christmas Promotions and vouchers.

49) The act of the coffee shop is in violation of which of the GDPR Principles?

Please use the following to answer the next question:

An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicates they agree to their name and contact number being processed for the purposes of the prize draw. However, this consent does not extend to using those details for marketing BUT the coffee shop has used the details to send out Christmas Promotions and vouchers.

50) The violation of the GDPR Principle(s) may lead to a penalty of what?