IAPP CIPP-E Practice Test - Questions Answers, Page 9
Question list
List of questions
Related questions
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
The European Commission can adopt an adequacy decision for individual companies.
The European Commission can adopt, repeal or amend an existing adequacy decision.
EU member states are vested with the power to accept or reject a European Commission adequacy decision.
To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?
The ability to enact new laws by executive order.
The right to access data for investigative purposes.
The discretion to carry out goals of elected officials within the member state.
The authority to select penalties when a controller is found guilty in a court of law.
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' -- the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?
Submit a draft decision to other supervisory authorities for their opinion.
Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' -- the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier's request, how may Javier proceed in order to seek compensation?
He will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.
He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.
He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?
Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
Failure to process personal information in a manner compatible with its original purpose.
Failure to provide the means for a data subject to rectify inaccuracies in personal data.
What is the MAIN reason GDPR Article 4(22) establishes the concept of the "concerned supervisory authority''?
To encourage the consistency of local data processing activity.
To give corporations a choice about who their supervisory authority will be.
To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
To ensure that the interests of individuals residing outside the lead authority's jurisdiction are represented.
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?
Data subject rights
Data access disputes
Cross-border processing
Special categories of data
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?
Background checks on employees could be performed only under prior notice to all employees.
Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.
Background checks on European employees will stem from data protection and employment law, which can vary between member states.
Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.
Why is advisable to avoid consent as a legal basis for an employer to process employee data?
Employee data can only be processed if there is an approval from the data protection officer.
Consent may not be valid if the employee feels compelled to provide it.
An employer might have difficulty obtaining consent from every employee.
Data protection laws do not apply to processing of employee data.
What is true if an employee makes an access request to his employer for any personal data held about him?
The employer can automatically decline the request if it contains personal data about a third person.
The employer can decline the request if the information is only held electronically.
The employer must supply all the information held about the employee.
The employer must supply any information held about an employee unless an exemption applies.
Question