IAPP CIPP-E Practice Test - Questions Answers, Page 20

:According to Article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data. Encryption is a key security measure to protect the confidentiality, integrity and availability of personal data, especially when it is transferred between different entities or locations. Encryption ensures that only authorised parties can access and modify the data, and prevents unauthorised or unlawful access, disclosure, alteration or destruction. Encryption also reduces the risk of data breaches and the potential harm to the data subjects. Therefore, encrypting the transferred data in transit and at rest would be the most important security measure to apply to the health data transmission.Reference:

Article 32 of the GDPR

IAPP CIPP/E Study Guide, page 58

This is not a valid set of standard contractual clauses because it does not correspond to any of the decisions adopted by the European Commission under the GDPR or the previous Data Protection Directive 95/46. The correct decision for EU processor to non-EU or EEA controller is Decision 2010/87/EU, which was amended by Decision 2004/915/EC. Decision 2007/72/EC is actually related to the recognition of the adequacy of the protection of personal data in Switzerland.Reference:

Free CIPP/E Study Guide, page 18, section 3.4.2

Standard contractual clauses for international transfers, section 1.1

Standard Contractual Clauses (SCC), section 2.1

Decision 2007/72/EC

Article 58 of the GDPR lists the powers of supervisory authorities, which include investigative, corrective, and authorization and advisory powers. However, legislative powers are not among those granted to supervisory authorities, as they belong to the EU and the member states. Therefore, option A is the correct answer.Reference:Art. 58 GDPR -- Powers,Article 58 Powers - GDPR,Article 58 GDPR - GDPRhub

According to the European Data Protection Board, the principles relating to the processing of personal data under EU data protection law are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability1.These principles imply certain concepts or practices that data controllers and processors should follow, such as access control management, frequent pseudonymization key rotation, and error propagation avoidance along the processing chain2.However, data ownership allocation is not a concept or practice that follows from these principles, as the GDPR does not recognize the notion of data ownership by either the data subject or the data controller3. Therefore, option A is the correct answer.Reference:

Data protection basics

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

CIPP/E Study Guide, page 11

:According to the GDPR, the processing of photographs should not systematically be considered as processing of special categories of personal data, unless they are covered by the definition of biometric data1.Biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification or authentication of that natural person, such as facial images or dactyloscopic data2.Therefore, the processing of photographs is considered processing of special categories of personal data when it involves the use of specific technical means, such as facial recognition, that allow or confirm the unique identification or authentication of a natural person3.Reference:1: Recital 51 of the GDPR2: Article 4(14) of the GDPR3: GDPR, Photographs, and Special Categories of Personal Data.

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU).Reference:

IAPP CIPP/E Study Guide, page 7

[Universal Declaration of Human Rights]

[Article 12 of the UDHR]

According to the EU glossary1, a directive is a legal act that sets out a goal that EU countries must achieve, but leaves them the choice of form and methods to reach it. A directive is binding on the EU countries to which it is addressed, but it does not apply directly at the national level. Instead, it has to be transposed into national law by the national authorities, usually within a specified time limit. This allows for some flexibility and adaptation to the specific circumstances of each country. A directive is different from a regulation, which is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force, without needing to be transposed into national law.Reference:

Free CIPP/E Study Guide, page 14, section 2.3

Types of legislation, section 2

What are EU directives?

Directive 2002/58/EC, also known as the ePrivacy Directive, regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches. It complements and particularises Directive 95/46/EC, also known as the Data Protection Directive, which sets out the general principles for the protection of personal data in the EU. The ePrivacy Directive was amended by Directive 2009/136/EC, which introduced new provisions on consent, cookies, and breach notification. The ePrivacy Directive is currently under review and will be replaced by a new Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which is still being negotiated by the EU institutions.Reference:Directive 2002/58/EC,Directive 2009/136/EC, [ePrivacy Regulation]

Convention 108 was the first legally binding international instrument in the data protection field, adopted by the Council of Europe in 19811.However, it had some limitations that led to the creation of the Data Protection Directive (Directive 95/46/EC) by the European Union in 19952.One of the main failings of Convention 108 was that it was implemented in a fragmented manner by a small number of states, resulting in divergent and inconsistent national laws and practices3.The Data Protection Directive aimed to harmonize the data protection rules within the EU and to ensure a high level of protection for individuals' rights and freedoms2. Therefore, option C is the correct answer.Option A is incorrect because Convention 108 did account for the rapid growth of the Internet by allowing for amendments and protocols to adapt to technological developments1.Option B is incorrect because Convention 108 did include protections for sensitive personal data, such as those revealing racial origin, political opinions, religious beliefs, health, or sexual life1.Option D is incorrect because Convention 108 did not prescribe specific penalties for violations of data protection rights, but left it to the Parties to adopt appropriate sanctions and remedies1.Reference:

Convention 108 and Protocols

CIPP/E Certification

Convention 108+ and the Data Protection Framework of the EU