CIPPE Exam Memorization Questions and Answers

Who can propose new laws in the EU? - Answer- EU Commission Who approves adequate countries? - Answer- EU Commission - will review, update, and reassess adequate countries under GDPR. Who can approve laws in EU? - Answer- Council of the European Union Why was Data Retention Directive invalidated in 2014? - Answer- It impacts everyone without exception (their privacy rights) What was the goal of the original EU DP Directive 95/46? - Answer- To further reconcile the protection of fundamental rights with free flow of data from one-member state to another What best define the right to privacy? - Answer- Balance between privacy and freedom of speech European Data Protection Board - EDPB (replacing Working Party 29) - Answer- The EDPB has the status of an EU body with legal personality and extensive powers to determine disputes between national supervisory authorities, to give advice and guidance and to approve EU-wide codes and certification What is the best definition of Fairness, Transparency and Lawful? - Answer- Lawfulness and Fairness is.... AND Transparency is... What best defines GDPR? - Answer- Comprehensive What is out of scope / not covered in the GDPR? - Answer- - Anonymous - Pseudo - Encrypt - Masking Pseudonymisation - which is NOT true? - Answer- Is a procedure by which ALL identifying fields are removed Employee requesting information from employer? - Answer- They have to comply unless there's an exemption (option 4) Why consent is not the best legal basis for employees? - Answer- - Imbalance of power - Difficult for an employer to prove consent. The processor has now made a decision on purpose of processing? - Answer- The processor is now deemed as the controller What should be included in a processor contract / (NOT)? - Answer- The categories of the data subject / links to DPIAs Can you call a prospective customer to inform him about a new product? An existing customer about his order? - Answer- Existing customers only What is REQUIRED for a company to market to EU consumer via email? (bit of a trick question)? - Answer- Consent Sensitive / Special categories of data Special category? - Answer- TRADE UNION (Financial/health is sensitive) For which of the following does GDPR apply? - Answer- For children under the age of 16 Member states have ability to enact local laws for what? - Answer- Age of child consent When would consent NOT be needed from a child? - Answer- Providing counselling services When does data subject have right to object? - Answer- Direct Marketing Responding to SARs? - Answer- 1 month to respond to a SAR with a potential extension of 2 months. (4th option) What is out of scope in terms of cross-border data transfers under GDPR? - Answer- American company, transacting with South African company using software built in the EU (option 4) Best way for EU company to transfer data to Chinese HQ? / A company in China want to collect data of EU customers? - Answer- EU controller to controller clause When is DPIA needed? - Answer- Type of processing is "likely to result in a high risk to the rights and freedoms of natural persons" What is NOT needed in article of processing records? - Answer- Links to DPIA not needed What is primary tasks of DPO? - Answer- Provide advice on DPIA and advise on mitigation of risk When is DPO required? - Answer- The core activities include regular and systematic monitoring on a large scale What information DOES NOT need to be provided (gives you a list)? Processor has a breach - what don't they need to include in their breach report: - Answer- Link to DPIA Processor notifies controller for a breach? - Answer- Without undue delay after becoming aware of it Data subject notice required? - Answer- Without undue delay Unless this results in a risk to the rights and freedoms of natural persons Notice Supervisory Auth required? - Answer- Without undue delay and, where feasible, not later than 72 hours after becoming aware of it. How long does one DPA have to reply to another DPA on a cooperation request? - Answer- 1 month What info need to be provided to a Data Subject if their data collected indirectly? - Answer- Source of the data If the data for DS is collected via indirect means what is the controller's primary obligation? - Answer- Inform the Data Subject about it. What infraction can lead to the 2 tier fine of 2% or 10M? - Answer- Not implementing the technical organizational measures ICO - opinion of future of cookies? - Answer- Will controlling cookie preferences from web browser be insufficient What of the following best defines a Cookie? - Answer- - A text file residing on Web server.... - A way to track data subjects online (I selected this) - Third party cookies are dropped by website - First party cookies... A29 party - what cookie law will be maintained? - Answer- Consent required prior to cookie being dropped e-Privacy Directive? - Answer- Concerns the processing of personal data and the protection of privacy in the public electronic communications sector and covers all forms of electronic communication channels What is the most pertinent amendment to the e-Privacy Directive? - Answer- Cookies require prior information and consent e-Privacy Directive 2009 amendments? - Answer- Mandatory electronic communication providers What is the exemption in the 'e-privacy directive' 2002/58 allowing data controllers to send electronic marketing information? - Answer- The recipients are existing customers Ecommerce - establishment? - Answer- Where processing took place (The place of establishment of a company providing services via an internet website is not the place at which the technology supporting its website is located or the place at which its website is accessible but the place where it pursues its economic activity) Safe guard under 'Article 42'? - Answer- Certifications Article 58 of GDPR gives supervisory authority to do what? - Answer- - Ordering a controller or processor to provide information - Conducting investigatory audits*** - Obtaining access to premises and data - Issuing warnings and reprimands and imposing fines*** - Ordering controllers and processors to comply with the GDPR and data subjects' rights - Banning processing and trans-border data flows outside the EU - Approving standard contractual clauses and binding corporate rules. What will an employer do with employee data once they are terminated? - Answer- They will keep data legally required to keep CCTV - what would you NOT need to do first? - Answer- Create a retention policy Company X contracts company Y to process. Compa