This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPP-E.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1. The first rules to balance personal freedom with restrictions of rights are found in…

2. (What is the BEST answer?) A controller…

3. In Convention 108 and Article 5 of the GDPR, it’s set that in order to process data legally, it must be ___________, which means that the subjects must be aware that their personal data is used.

4. Data subjects have the right to freeze their data if they requested erasure. This falls under…

5. The three mechanisms under which personal data can be transferred outside the European Economic Area (EEA) are…

6. Is location data a form of personal data?

7. The ePrivacy Regulation was changed in 2009. What was the biggest change?

8. A surveying agency has the name of a person and their political opinions. What kind of data is the latter?

9. Which of the following is NOT the scope of the GDPR?

Use the following scenario to answer questions 10-14.

One Case, One Phone (OCOP) is a company that sells customizable cases for cellphones. They are based in Germany and have two physical shops, one in Berlin and one in Stuttgart. However, most of their profits come from their online shop. The website uses cookies for better performance and they collect data from customers worldwide.
They have grown and can’t keep up with the orders in their small workshop in Germany. Because of this, OCOP has contacted a Japanese factory that would be able to build the cases and then send them to the customers. To do that, they need to know the customer’s name as well as their phone model. They wouldn’t require any other data, such as credit card numbers, nationalities, or age. This data would only be stored in the German database.
OCOP has investigated the Japanese factory and has found they have never had a data breach, although they don’t follow all the principles of the GDPR.
In November 2020, the Japanese factory had to deal with a major data breach. The data of at least 500 Germans and Swiss were lost. Furthermore, data of Brazilians has also been lost.

10. Is OCOP allowed to transfer the customer’s name and the phone model to a factory in another country? What is the BEST answer?

11. Is OCOP allowed to transfer the data to the Japanese factory?

12. Regarding the cookies, is it allowed (privacy compliant) to use them?

13. The Japanese factory tells OCOP they want to have the customer’s age as well. They argue this will allow for a more targeted design, as well as less confusion with orders. Can OCOP send them this information? What is the BEST answer?

14. OCOP wants to review online privacy rights to make sure they are following them appropriately. What should they consult?

15. The principles for data processing are stated in…

16. A company asks users for their addresses in order to send a package they have ordered. Does this follow the principle of “necessity”?

17. As of today, which of the following rights has an unclear scope?

18. The controller’s relationships with processors and sub-processors is part of…

19. When a company processes an employee data to pay their salary, they will do the process on the basis of…

20. Identifying the handwriting of an individual can be considered as…

21. Can there be personal data in the Internet of Things?

22. Which of the following are recognized routes for data transfer outside the EEA?

23. What is considered sensitive data?

24. Are EU agencies covered by the GDPR?

25. Do companies have to report data processing to the DPA?

Use the following scenario to answer questions 26-30.

Door to Door is a delivery agency. They have close partnerships with several European small manufacturing businesses and deliver delicate crafts to customers. 

When one of the manufacturing businesses receives an order, they transfer the data of the type of product and the client’s name, address, and phone number to Door to Door. The agency then passes that information on to one of their employees, who will start the delivery. The employee calls the customers to arrange a smooth delivery. 

The customers are not informed about the involvement of Door to Door, and as far as they know, the personal information they provide only goes to the small business they made the purchase from. However, each of the businesses does inform the clients that their data is used for the delivery.

26. Delivery information is automatically shared with Door to Door. Should the manufacturing business inform clients that this kind of information will be shared?

27. Should Door to Door inform clients about the personal information it received? What is the BEST answer?

28. After ordering, a client requests not to have his telephone number shared with anyone. What would be the most appropriate response?

29. Door to Door wants to use the data from the clients to offer a personalized app with the business they buy more frequently from. Should the clients be informed?

30. One of the businesses provides comprehensive information about data subject’s rights. They use precise language from the specific field of law. Is it mandatory to do this?