Ask Question
IAPP CIPP-E Practice Test - Questions Answers
Question list
List of questions
Related questions
Question 1
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?
Verify that the request is applicable to the data collected before the GDPR entered into force.
Verify that the purpose of the request from the customer is in line with the GDPR.
Verify that the personal data has not already been sent to the customer.
Verify that the identity of the customer can be proven by other means.
Explanation:
According to Article 13 of the GDPR, the controller (in this case, the electricity supplier) has the obligation to provide the data subject (in this case, the customer) with information about the processing of their personal data, including the recipients or categories of recipients of the personal data, if any. However, before providing such information, the controller must verify the identity of the data subject, to ensure that the information is not disclosed to unauthorized persons. This verification can be done by other means than the personal data already collected, such as asking for additional information, sending a verification code, or using a secure online portal. The other options (A, B, and C) are not relevant for this verification, as they do not relate to the identity of the data subject, but to the scope, purpose, and history of the processing.Reference:
Article 13 of the GDPR
The right to be informed (transparency) (Article 13 & 14 GDPR)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Question 2
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
The data subject already has information regarding how his data will be used
The provision of such information to the data subject would be too problematic
Third-party data would be disclosed by providing such information to the data subject
The processing of the data subject's data is protected by appropriate technical measures
Explanation:
According to Article 14 of the GDPR, where personal data is not obtained directly from the data subject, the controller must provide the data subject with certain information about the processing, such as the identity of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject12. However, there are some exceptions to this obligation, as specified in Article 14(5).One of them is when the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing12.In such cases, the controller must take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available12.Reference:CIPP/E Certification - International Association of Privacy Professionals,Free CIPP/E Study Guide - International Association of Privacy Professionals,GDPR - EUR-Lex,Right to be Informed - General Data Protection Regulation (GDPR)
Question 3
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at CompanyA. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required. Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract. Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes. Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees. Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?
Their omission of data protection provisions in their contract with Company C.
Their failure to provide sufficient security safeguards to Company A's data.
Their engagement of Company C to improve their payroll service.
Their decision to operate without a data protection officer.
Explanation:
While Company B made several mistakes in handling Company A's employee data, not all of them would likely trigger a potential enforcement action under the GDPR. Here's an analysis of each option:
A) Omission of data protection provisions in the contract with Company C: This is a clear violation of the GDPR. Company B, as the data controller, is responsible for ensuring that any third-party processors comply with data protection requirements. By omitting data protection provisions in the contract, Company B failed to take appropriate steps to ensure the security and privacy of the personal data. This would be a likely trigger for an enforcement action.
B) Failure to provide sufficient security safeguards to Company A's data: This is another violation of the GDPR. Company B has a legal obligation to implement appropriate technical and organizational security measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The outdated IT security system at Company C's U.S. server demonstrates a failure to meet this obligation. This would also be a likely trigger for an enforcement action.
C) Engagement of Company C to improve their payroll service: While outsourcing certain aspects of data processing is permitted under the GDPR, the data controller remains ultimately responsible for compliance. However, simply engaging another company to improve a service itself isn't necessarily a violation. As long as the proper safeguards are in place and the data processing is carried out in accordance with the GDPR, this action alone would not likely trigger an enforcement action.
D) Decision to operate without a data protection officer: The GDPR requires certain organizations to appoint a data protection officer (DPO). While Company B may be required to have a DPO depending on its size and activities, the absence of a DPO wouldn't automatically trigger an enforcement action. However, it could indicate a lack of compliance culture and contribute to other violations, increasing the likelihood of an enforcement action.
Therefore, while Company B made several mistakes, only the ones that directly violate specific data protection requirements, such as omitting data protection provisions in contracts or failing to implement appropriate security measures, are likely to trigger an enforcement action. Engaging a third-party to improve a service, as long as it's done in a compliant manner, isn't a violation in itself.
Question 4
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required. Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract. Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes. Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees. The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?
Hiring companies whose measures are consistent with recommendations of accrediting bodies.
Requesting advice and technical support from Company A's IT team.
Avoiding the use of another company's data to improve their own services.
Vetting companies' measures with the appropriate supervisory authority.
Explanation:
Article 82 of the GDPR1234regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR.
Paragraph 4 of Article 821234states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage.
Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.
1: Art. 82 GDPR -- Right to compensation and liability - General Data Protection Regulation (GDPR)
2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu
3: GDPR Article 82: Right to compensation and liability - Advisera
4: Article 82 GDPR | Right to compensation and liability
Question 5
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?
A privacy notice containing brief information whilst offering access to further detail.
A privacy notice explaining the consequences for opting out of the use of cookies on a website.
An explanation of the security measures used when personal data is transferred to a third party.
An efficient means of providing written consent in member states where they are required to do so.
Explanation:
A layered notice is a privacy notice designed to respond to problems with excessively long notices1.A short notice --- the top layer --- provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2.The full notice --- the bottom layer --- covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2.The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3.A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23.Reference:2
Question 6
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?
Inform the subjects about the collection
Provide a public notice regarding the data
Upgrade security to match that of the source
Update the data within a reasonable timeframe
Explanation:
:According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed.Reference:
Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.
ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.
EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.
Question 7
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?
The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
The name/s of relevant government agencies involved and the steps needed for revising the data.
The identity and contact details of the controller and the reasons the data is being collected.
The contact information of the controller and a description of the retention policy.
Explanation:
The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12.This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller's representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34.This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5. Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data.Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory.Reference:1: Article 13 of the GDPR2: Article 14 of the GDPR3: Article 13(1)(a) and of the GDPR4: Article 14(1)(a) and of the GDPR5: Recital 60 of the GDPR
Question 8
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?
Within 40 days of receipt
Within 40 days of receipt, which may be extended by up to 40 additional days
Within one month of receipt, which may be extended by up to an additional month
Within one month of receipt, which may be extended by an additional two months
Explanation:
:According to the GDPR, data controllers must respond to a data access request (also known as a subject access request or SAR) without undue delay and in any event within one month of receipt of the request. This time limit can be extended by a further two months if the request is complex or if the controller receives a number of requests from the same individual. However, the controller must still inform the individual within one month of receipt of the request and explain why the extension is necessary. The time limit is calculated from the day after the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. If there is no corresponding calendar date, the deadline is the last day of the next month. If the deadline falls on a weekend or public holiday, the response must be provided on the next working day.Reference:
GDPR, Article 12(3)
ICO, Right of access1
ICO, Time limits for responding to data protection rights requests2
Question 9
The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?
The recipients or categories of recipients.
The categories of personal data concerned.
The rights of access, erasure, restriction, and portability.
The right to lodge a complaint with a supervisory authority.
Explanation:
According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data.Reference:
Art. 13 GDPR - Information to be provided where personal data are collected from the data subject
Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
Article 13: Information to be provided where personal data are collected from the data subject - GDPR
Question 10
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject's personal data has been obtained from other sources?
As soon as possible after obtaining the personal data.
As soon as possible after the first communication with the data subject.
Within a reasonable period after obtaining the personal data, but no later than one month.
Within a reasonable period after obtaining the personal data, but no later than eight weeks.
Explanation:
According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed.However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12.Reference:
GDPR, Article 14
Free CIPP/E Study Guide, page 19, section 2.5.1
CIPP/E Certification, page 14, section 1.2.1
Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
Article 14 GDPR - GDPRhub
Question