This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPP-E.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1. Under which of the following conditions is a controller in the EU likely to be exempt from having to inform data subjects of the processing of their personal data under Articles 13 and 14 of the GDPR?

SCENARIO I Please use the following scenario to answer the next questions.

Museum4yourSenses is a new museum with an exceptionally modern feel and is gaining a lot of traction on PluckPlack, a popular social media app. To promote their multi-location launch, founders aim to go viral with captivating avatar-enhanced videos on PluckPlack.

 

The museum’s unique pitch is a chance for the first 100 visitors of the day to test out new virtual reality headsets for free. Visitors first step into a rainbow-colored waiting room where they receive instructions to speak their name and introduce the character they wish to become for the day. When visitors get their photo taken for their badge, they are instructed to look directly at the camera and make a funny face.

 

A month before the museum opened in Brussels, a private reception was held. The organisers gave visitors forms that included a box to acknowledge having read the museum’s privacy notice and a consent form to sign about the images and voice recordings that would be required for entry. The consent form stated the personal data would be deleted 24 hours after the initial visit. After the Brussels launch, some of the visitors noticed the museum had posted promotional videos on PluckPlack that used the visitors’ introductory voice recordings. The consent forms did not mention that the audio recordings would be combined with new avatars for the museum’s reuse.

2. After visiting the Museum4yourSenses, what would visitors be entitled to request regarding their personal data?

SCENARIO I Please use the following scenario to answer the next questions.

Museum4yourSenses is a new museum with an exceptionally modern feel and is gaining a lot of traction on PluckPlack, a popular social media app. To promote their multi-location launch, founders aim to go viral with captivating avatar-enhanced videos on PluckPlack.

The museum’s unique pitch is a chance for the first 100 visitors of the day to test out new virtual reality headsets for free. Visitors first step into a rainbow-colored waiting room where they receive instructions to speak their name and introduce the character they wish to become for the day. When visitors get their photo taken for their badge, they are instructed to look directly at the camera and make a funny face.

A month before the museum opened in Brussels, a private reception was held. The organisers gave visitors forms that included a box to acknowledge having read the museum’s privacy notice and a consent form to sign about the images and voice recordings that would be required for entry. The consent form stated the personal data would be deleted 24 hours after the initial visit. After the Brussels launch, some of the visitors noticed the museum had posted promotional videos on PluckPlack that used the visitors’ introductory voice recordings. The consent forms did not mention that the audio recordings would be combined with new avatars for the museum’s reuse.

3. Bubbaloo Clown Company downloaded the PluckPlack videos promoting the museum and used the expressions to make new clown masks. It named the masks according to the visitor’s introductions. When former visitors became aware of these masks, they lodged a series of complaints with the supervisory authorities. Museum4yourSenses deflected any responsibility, stating it was their audio-visual vendor handling the audio recordings of the visitors.

 

Q- Which statement about responsibility for the misuse of the visitors’ personal data is correct?

SCENARIO I Please use the following scenario to answer the next questions.

Museum4yourSenses is a new museum with an exceptionally modern feel and is gaining a lot of traction on PluckPlack, a popular social media app. To promote their multi-location launch, founders aim to go viral with captivating avatar-enhanced videos on PluckPlack.

 

The museum’s unique pitch is a chance for the first 100 visitors of the day to test out new virtual reality headsets for free. Visitors first step into a rainbow-colored waiting room where they receive instructions to speak their name and introduce the character they wish to become for the day. When visitors get their photo taken for their badge, they are instructed to look directly at the camera and make a funny face.

 

A month before the museum opened in Brussels, a private reception was held. The organisers gave visitors forms that included a box to acknowledge having read the museum’s privacy notice and a consent form to sign about the images and voice recordings that would be required for entry. The consent form stated the personal data would be deleted 24 hours after the initial visit. After the Brussels launch, some of the visitors noticed the museum had posted promotional videos on PluckPlack that used the visitors’ introductory voice recordings. The consent forms did not mention that the audio recordings would be combined with new avatars for the museum’s reuse.

4. A local elementary school teacher was one of the first visitors to Museum4yourSenses and was inspired to launch some educational materials after the visit. However, the teacher was alarmed to learn that a number of children with special needs had their introductory videos selected to promote a diversity and inclusion angle in the promotional materials. What would be her best option to protect children’s rights?

5. A company is hesitating between binding corporate rules and standard contractual clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

6. Which of the following is NOT a common service model of cloud computing?

7. You accidently send an email that contains a small amount of personal data, and no sensitive data, concerning 25 individuals from the EU to the wrong email address. You immediately request the recipient delete the email and that the recipient confirms they have done so. After reporting what has happened to your DPO, you take some refresher privacy training for good measure. Under the GDPR, why is it unlikely that your company would be fined as a result of this data breach?

8. What is the core concept underpinning the GDPR accountability requirement?

9. What should an organisation consider when determining appropriate periods for retaining personal data?

10. When is a data sharing agreement most likely to be needed?

11. Which treaty created the European Union?

12. If a multi-national company wanted to conduct background checks on all current and potential European-based employees, what key provision would the company have to follow?

13. What is a ‘layered fair processing notice’?

SCENARIO II Please use the following scenario to answer the next questions.

Excited to go on holiday, Isabelle took a trip to Amsterdam and went on a series of canal tours promoted by Novatours, a new Amsterdam-based company. She downloaded the Novatours app on her smartphone, accepted the privacy conditions, and connected her credit card for ease of payment. Upon return to her residence in France, she received frequent flyers from Novatours and third-party vendors. The number of flyers and vendors involved increased over time, including not only tourist activities, but also hotels, restaurants, car rentals, museum events, etc. All flyers mentioned a partnership with Novatours.

A few weeks later, she moved to a new apartment. She tried to contact Novatours but she could not get past the automated telephone system or the ‘no-reply’ general email on their website. Isabelle concluded there was no way to contact them other than through an affiliated tourist office where she first learned about the company.

14.  Isabelle wants to update her address and limit the sharing of her personal data. What should she do?

SCENARIO II Please use the following scenario to answer the next questions.

Excited to go on holiday, Isabelle took a trip to Amsterdam and went on a series of canal tours promoted by Novatours, a new Amsterdam-based company. She downloaded the Novatours app on her smartphone, accepted the privacy conditions, and connected her credit card for ease of payment. Upon return to her residence in France, she received frequent flyers from Novatours and third-party vendors. The number of flyers and vendors involved increased over time, including not only tourist activities, but also hotels, restaurants, car rentals, museum events, etc. All flyers mentioned a partnership with Novatours.

A few weeks later, she moved to a new apartment. She tried to contact Novatours but she could not get past the automated telephone system or the ‘no-reply’ general email on their website. Isabelle concluded there was no way to contact them other than through an affiliated tourist office where she first learned about the company.

15. Finally, Isabelle received a response from Novatours about how she can delete her personal data from their records. She authenticated her identity via email and followed the instructions provided by Novatours to delete her data. But a few weeks later, she received text messages about new offers encouraging her to respond quickly before discounts expire. Isabelle suspects Novatours is still processing her personal data and wonders if this is allowed.

Which of the following is correct?

SCENARIO II Please use the following scenario to answer the next questions.

Excited to go on holiday, Isabelle took a trip to Amsterdam and went on a series of canal tours promoted by Novatours, a new Amsterdam-based company. She downloaded the Novatours app on her smartphone, accepted the privacy conditions, and connected her credit card for ease of payment. Upon return to her residence in France, she received frequent flyers from Novatours and third-party vendors. The number of flyers and vendors involved increased over time, including not only tourist activities, but also hotels, restaurants, car rentals, museum events, etc. All flyers mentioned a partnership with Novatours.

A few weeks later, she moved to a new apartment. She tried to contact Novatours but she could not get past the automated telephone system or the ‘no-reply’ general email on their website. Isabelle concluded there was no way to contact them other than through an affiliated tourist office where she first learned about the company.

16-Novatours received several similar complaints resulting in the suspension of their licence to operate. When Novatours’ lawyer filed a complaint against the supervisory authorities, they were informed that Novatours, as a controller, was legally required to do which of the following?

17. An unforeseen power outage results in Company Z's lack of access to customer data for six hours, which is considered a breach under Article 32 of the GDPR. Based on the WP29's February 2018 ‘Guidelines on Personal data breach notification’ (later adopted by the EDPB), Company Z should do which of the following?

18. Which instrument could be used, or which treaty could be joined, by a non-European country that wanted to demonstrate an international commitment to implement data protection legislation and to provide protection of individuals with regard to automatic processing of personal data?

19. In what stages of the project life cycle should data protection by design (also known as privacy by design) be applied?

20. A data subject makes a subject access request (SAR) to an online retail company for their personal data. The data subject states that they are making a SAR in accordance with the GDPR; however, if the company credits the data subject’s online account with a specified sum of money, the data subject will withdraw their request. The company has not had any previous access requests by other individuals. Which of the following would be legitimate grounds for the company to refuse to comply with the access request?

21. Under the GDPR, which of the following is TRUE about data subjects’ options to exercise their rights in cases of noncompliance?

22. Which statement about automated decision-making under Article 22 of the GDPR is TRUE?

23. Under the ePrivacy Directive, when a company decides to send direct email marketing, which of the following legal bases may it generally rely on?

24. A data subject wants to lodge a complaint against a controller about the processing of their data. Which of the following is NOT a true statement?

25. A company is under investigation by multiple regulators in different countries’ jurisdictions for not complying with GDPR fair notice requirements. Which is TRUE of the fines that may be assessed against the company?

26. An employee of company XYZ has just noticed a memory stick containing records of client data, including their names, addresses and full contact details, has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

SCENARIO III Please use the following scenario to answer the next questions.

Luca is the owner of a chain of Italian restaurants across Europe. The restaurant has been successful but beginning with the COVID pandemic customers have mainly ordered food to pick up and eat at home. Luca decided to create a mobile app that allows customers to order ahead and schedule pickup times to help alleviate wait times. This also allowed him to build analytics to better staff his restaurants in this new era of takeout.

27- To comply with the obligations under Article 25 (data protection by design and by default), what should Luca consider when reviewing and assessing the processing and storage of personal data gathered by his app?

SCENARIO III Please use the following scenario to answer the next questions.

Luca is the owner of a chain of Italian restaurants across Europe. The restaurant has been successful but beginning with the COVID pandemic customers have mainly ordered food to pick up and eat at home. Luca decided to create a mobile app that allows customers to order ahead and schedule pickup times to help alleviate wait times. This also allowed him to build analytics to better staff his restaurants in this new era of takeout.

28- Since Luca is now processing and storing customer data via his app, he needs to create internal privacy policies for employees to follow. Which guidelines should be included in the policy? 

29. Which of the following is a legally binding instrument?

30. A U.S.-based pharmaceutical company, Pharma, receives pseudonymised patient information from clinical sites all over the world, including the EU, as part of a clinical trial. How must Pharma process the data?

31. Which treaty was issued as a result of the enlargement of the European Community and the corresponding need to improve the efficiency and speed of decision-making processes?

32. When a situation arises in which neither an adequacy decision nor appropriate safeguards are in place, the GDPR sets forth specific derogations to allow data transfers. Which of the following is a requirement to transfer data under the derogations?

33. In which of the following situations must a data protection impact assessment (DPIA) be used?

34. Which of the following processing conditions would prohibit an organisation from retaining personal data collected for conducting a webinar once the webinar has concluded and the processing purpose has expired?

35. A grocery store opened on a street that has had regular problems with thefts. Since the grocery store is new, they do not yet have the budget for a real surveillance system. Instead, they install fake video surveillance cameras to stop potential thieves until they can afford a real surveillance system. The cameras are pointed only inside the store and there are no cameras facing the street. Which GDPR lawful basis is the grocery store most likely to have relied on for the placing of the cameras?

36. Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

37. The European Commission has the power to determine whether a country outside of the EU provides an adequate level of data protection in accordance with the GDPR. Which one of the following countries has been deemed ‘adequate’?

38. Failure to provide fair information to data subjects with regards to the processing of their personal data is likely to?

39. The GDPR requires parent/guardian consent to process personal data of data subjects younger than what minimum age?

40. Which of the following is the best approach for an organisation to take to be able to demonstrate fairness when processing personal data?

41. Under the GDPR, when processing an individual’s personal data in the context of direct marketing activities, data controllers must do which of the following?

42. Which of the following is NOT categorically one of the types of Privacy?

43. Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology?

44. How does the GDPR now define processing?

45. What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

46. Why is it advisable to avoid consent as a legal basis for an employer to process employee data?

47. In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

48. In privacy protection, what is a covered entity?

49. Which of the following is NOT a good reason to perform a privacy audit on a supplier?

50. An example of media sanitisation would be: