This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPP-E.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1. How does the GDPR define ‘processing’?

2. A breach of security leading to the accidental destruction or loss of personal data triggers notification obligations. According to Article 33(2) of the GDPR, how soon must the data processor notify the data controller about such breach of security?

3. Under the GDPR, when processing an individual’s personal data in the context of direct marketing activities, data controllers must do which of the following?

4. A full and valid set of binding corporate rules (BCRs) must include specific elements. Which of the following is NOT one of the required elements?

5. What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

6. According to GDPR Article 56, what is a lead supervisory authority's (LSA) main concern?

7. Which of the following would most likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

8. Each of the following is a valid transfer mechanism data controllers may rely upon to legally transfer EU personal data outside of the EU EXCEPT?

9. Which of the following is NOT amongst the rights and freedoms that must be considered when balancing privacy rights under the GDPR?

10. A high-security bank requires members to use fingerprint identification to access specific vaults. The bank retains those records to determine who obtained access and when. The bank must determine the lawful basis for processing under the GDPR. Which lawful basis would most likely apply to this type of processing activity?

11. Administrative fines imposed under GDPR Article 83 must be?

12. Much of the GDPR builds upon the Data Protection Directive. Which of the following data subject rights is the only right that did NOT exist in some form in the Directive?

SCENARIO I Please use the following scenario to answer the next questions.

Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures.

These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers. Since these measures would potentially impact employees, Building Block's privacy office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches. After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees' computer activity and their location. During these activities, the information security team discovered that one employee from Italy was connecting daily to a video library of movies and another from Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager.

In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company's computers and from working remotely without authorisation.

13. To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

SCENARIO I Please use the following scenario to answer the next questions.

Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's privacy office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches. After the implementation of these measures, server performance decreased.

The general manager instructed the security team on how to use SecurityScan to monitor employees' computer activity and their location. During these activities, the information security team discovered that one employee from Italy was connecting daily to a video library of movies and another from Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company's computers and from working remotely without authorisation.

14. What would be the most appropriate way for Building Block to handle the situation with the employee from Italy?

SCENARIO I Please use the following scenario to answer the next questions.

Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates.

However, this software also provides other features, including the monitoring of employees' computers. Since these measures would potentially impact employees, Building Block's privacy office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches. After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees' computer activity and their location. During these activities, the information security team discovered that one employee from Italy was connecting daily to a video library of movies and another from Germany worked remotely without authorisation.

The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company's computers and from working remotely without authorisation.

15. In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

16. Which of the following would most likely NOT be covered by the definition of ‘personal data’ under the GDPR?

17. Under Article 17(1) (right to erasure or ‘right to be forgotten’), what is a controller required to do when they receive a proper request for erasure from a data subject?

18. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) had in common but largely failed to achieve in Europe?

19. An organisation wants to use a digital identity verification app to authenticate the identities of new customers. Customers will be asked to upload a photo ID document such as passport, driving licence or national ID and then asked to upload a picture of their face in the app. The ID document’s authenticity is checked, and biometrics are used to ensure the ID document belongs to the customer.

What step should the organisation take to ensure the data minimisation principle is implemented when collecting the personal data?

20. Which of the following is NOT one of the seven EU-U.S. and Swiss-U.S. Privacy Shield Principles?

21. When determining whether to impose an administrative fine and its amount, a supervisory authority takes into account the intentional or negligent character of the infringement. Which of the following is another criterion that would have a bearing on the amount of the fine?

22. Under the GDPR, which of the following statements is TRUE regarding a data subject’s right to opt out of direct marketing?

23. Pursuant to Article 32(1) of the GDPR, which is a technical and organisational measure to ensure a level of security appropriate to the assessed risks?

24. According to the GDPR, how is pseudonymous personal data defined?

25. Each of the following should be considered when assessing which security measures would be most appropriate for an organisation EXCEPT?

SCENARIO II Please use the following scenario to answer the next questions.

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.

 

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

 

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

26. Why is this company obligated to comply with the GDPR?

SCENARIO II Please use the following scenario to answer the next questions.

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.

 

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

 

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

27. To ensure GDPR compliance, what should be the company's position on the issue of consent?

SCENARIO II Please use the following scenario to answer the next questions.

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

28. What presents the biggest potential privacy issue with the company's practices?

SCENARIO II Please use the following scenario to answer the next questions.

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

29. Considering the requirements of Article 32 of the GDPR (related to the security of processing), which practice should the company institute?

30. How has the GDPR's position on consent most likely affected app design and implementation?

31. A convenience store in Brussels is having trouble with individuals spray painting graffiti on the front windows and entrance when the store is closed. As a security measure, they have installed video surveillance outside of their entrance. The camera records activity near the door and along the sidewalks in front of the store. Video footage is stored for one month and then deleted if not needed. Footage of a passer-by was captured while he was on the sidewalk and did not show evidence of vandalism by him. He asks to have his personal data erased immediately. What must the store do to comply with the GDPR?

32. Before deciding to encrypt personal data, an organisation is required to assess the risks of the processing activity. What should an organisation take into consideration during the assessment?

33. Under the GDPR, who would be least likely to be allowed to engage in the collection, use and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

34. A shopping mall uses video surveillance cameras, which include facial recognition technology, at the entrance. This technology allows the mall to detect and remove individuals who were previously banned from the property. Which GDPR lawful basis would the shopping mall need to rely on for the processing of the video footage and facial recognition data?

35. Each of the following are means controllers must use to meet fair processing information guidelines EXCEPT?

36. A key component of the OECD Guidelines is the ‘individual participation principle’. What parts of the GDPR provide the closest equivalent to that principle?

37. A data controller must notify a data subject about a personal data breach likely to result in a high risk to the data subject’s fundamental rights and freedoms in each of the following situations EXCEPT?

38. A restaurant has a website through which customers order food to be delivered to their home. The restaurant sends the consumer’s personal data and order information to a third-party delivery company for the purpose of delivering the food and accepting payment. After the order is complete, the delivery company pseudonymises the customer information to be used to improve the delivery company’s estimated delivery time algorithm. The delivery company is not using the pseudonymised customer data for their algorithm on the restaurant’s behalf. Under the GDPR, what role best describes the delivery company with respect to the processing of data used for the algorithm?

SCENARIO III Please use the following scenario to answer the next questions.

The U.S.-based ABC Company is setting up a processing facility in Ireland. The company is a back- office data processor for EU health insurance companies. ABC Company’s first client is Ireland HealthU Insurance, which provides health insurance for all college students in Ireland. The student health insurance applications include name, date of birth, and previous and existing medical treatments and conditions. The volume of data processing is unknown, but it is expected to be between 50,000– 100,000 applications per month. Even though there are large volumes of applications, the number of employees of ABC Company remains fewer than 100.

39. Does the record-keeping requirement of the GDPR apply to this company?

SCENARIO III Please use the following scenario to answer the next questions.

The U.S.-based ABC Company is setting up a processing facility in Ireland. The company is a back- office data processor for EU health insurance companies. ABC Company’s first client is Ireland HealthU Insurance, which provides health insurance for all college students in Ireland. The student health insurance applications include name, date of birth, and previous and existing medical treatments and conditions. The volume of data processing is unknown, but it is expected to be between 50,000– 100,000 applications per month. Even though there are large volumes of applications, the number of employees of ABC Company remains fewer than 100.

40. In the above scenario, ABC Company appointed a DPO to comply with the GDPR. Why is ABC Company required to do so?

41. Under the ePrivacy Directive, when obtaining consent from individuals to process their location data, controllers must present individuals with each of the following EXCEPT:

42. A United States-based online company uses software to track the browsing behaviour and predict future purchases of its European customers. It also shares this information with third parties. Under the GDPR, what is the online company’s primary obligation before engaging in this kind of profiling?

43. Which EU entity has the authority to invalidate adequacy determinations made by the European Commission?

44. A company based in Spain is expanding its business to serve customers in other EU member states. The company increases its advertising budget and serves advertisements to market its product to consumers in France, Germany and the Netherlands. Consumers from all three countries use the company website to purchase products and have the products shipped to their homes. The privacy notice of the Spanish company provides data subjects with all the required information; however, the policy is only available in Spanish. Which GDPR principle is the company most likely to be in breach of?

45. What is the main reason GDPR Article 4(22) establishes the concept of the ‘supervisory authority concerned’?

46. Your company’s chief information security officer is performing an annual review of its ‘bring your own device’ (BYOD) program for its European subsidiary. She has asked you to validate that the technical team’s process document is compliant with GDPR. Which step would result in non- compliance with the GDPR?

47. Which of the following is TRUE with regard to the provisions of the ePrivacy Directive?

48. A Brazilian citizen is visiting Paris, France on a one-year work visa. During their time in France, they join a local health and fitness club. The registration form for the health club requests their full name, permanent home address, bank account information for withdrawal of membership fees, and their race or ethnic origin for statistical purposes. Which information requested is considered a special category of personal data under Article 9 of the GDPR?

49. A bakery placed a video surveillance camera in the employee break room. The camera is pointed in a manner so that it only records the portion of the wall that holds the employee timeclock. The employer setup the camera after some employees were caught clocking in for other employees who were running late to work. The employer reviews the footage weekly and then deletes the footage. A sign is posted next to the timeclock informing employees about the recording. If the employees exercise their right to object, what will the employer need to do to continue the video monitoring?

50. Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject unless the controller can demonstrate compelling legitimate grounds that override the interests of the individual. In the ‘Guidelines on Automated individual decision-making and Profiling’, the European Data Protection Board (EDPB) says the controller needs to do all of the following to demonstrate it has such legitimate grounds EXCEPT?