NEW QUESTION 1
An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data.
Which of the following best explain why this practice would NOT be subject to the GDPR?

• A. Body temperature is not considered personal data.
• B. The practice does not involve completion by automated means.
• C. Body temperature is considered pseudonymous data.
• D. The practice is for the purpose of alleviating extreme risks to public health.

Answer: B

NEW QUESTION 2
Which type of personal data does the GDPR define as a “special category” of personal data?

• A. Educational history.
• B. Trade-union membership.
• C. Closed Circuit Television (CCTV) footage.
• D. Financial information.

Answer: B

NEW QUESTION 3
Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?

• A. It cannot be attributed to a data subject without the use of additional information.
• B. It cannot be attributed to a person under any circumstances.
• C. It can only be attributed to a person by the controller.
• D. It can only be attributed to a person by a third party.

Answer: A

NEW QUESTION 4
If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?

• A. 1 month.
• B. 3 months.
• C. 5 months.
• D. 12 months.

Answer: B

NEW QUESTION 5
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

• A. Provide the user with logs of data collected through use of the app.
• B. Erase any data collected from the time the app was first used.
• C. Inform any third parties of the user’s withdrawal of consent.
• D. Cease processing any data collected through use of the app.

Answer: D

NEW QUESTION 6
Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

• A. The public
• B. Company X
• C. Law enforcement
• D. The supervisory authority

Answer: C

NEW QUESTION 7
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

• A. The company isn’t a controller established in the Union.
• B. The laptop belonged to a company located in Canada.
• C. The data isn’t considered personally identifiable financial information.
• D. There is no evidence that the thieves have accessed the data on the laptop.

Answer: A

NEW QUESTION 8
Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.
Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

• A. It collects data from European Union websites, which constitutes an establishment in the EuropeanUnion.
• B. It offers services in the European Union by identifying data subjects in the European Union.
• C. It collects data from subjects and uses it for automated processing.
• D. It monitors the behavior of data subjects in the European Union.

Answer: A

NEW QUESTION 9
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

• A. The data is sensitive.
• B. The data is uncategorized.
• C. The data is being used for a new purpose.
• D. The data is being processed via a new means.

Answer: D

NEW QUESTION 10
What should a controller do after a data subject opts out of a direct marketing activity?

• A. Without exception, securely delete all personal data relating to the data subject.
• B. Without undue delay, provide information to the data subject on the action that will be taken.
• C. Refrain from processing personal data relating to the data subject for the relevant type of communication.
• D. Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and no longer processed.

Answer: C

NEW QUESTION 11
If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?

• A. Decision 2001/497/EC (EU controller to non-EU or EEA controller).
• B. Decision 2004/915/EC (EU controller to non-EU or EEA controller).
• C. Decision 2007/72/EC (EU processor to non-EU or EEA controller).
• D. Decision 2010/87/EU (Non-EU or EEA processor from EU controller).

Answer: B

NEW QUESTION 12
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a
multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

• A. The Court of Justice of the European Union.
• B. The European Data Protection Board.
• C. The Data Protection Authority.
• D. The European Commission.

Answer: C

NEW QUESTION 13
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

• A. The European Parliament
• B. The European Commission
• C. The Article 29 Working Party
• D. The European Council

Answer: B

NEW QUESTION 14
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

• A. When she is leaving her bank and moving to another bank.
• B. When she has recently changed jobs and no longer works for the same company.
• C. When she disagrees with a diagnosis her doctor has recorded on her records.
• D. When she no longer wishes to be sent marketing materials from an organization.

Answer: D

NEW QUESTION 15
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

• A. When the personal data is processed only in non-electronic form
• B. When the personal data is collected and then pseudonymised by the controller
• C. When the personal data is held by the controller but not processed for further purposes
• D. When the personal data is processed by an individual only for their household activities

Answer: B

NEW QUESTION 16
There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

• A. Consent management and withdrawal.
• B. Incident detection and response.
• C. Preventative security.
• D. Remedial security.

Answer: A

NEW QUESTION 17
A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

• A. The lawful processing criteria stipulated by Articles 6 to 9
• B. The information requirements set out in Articles 13 and 14
• C. The breach notification requirements specified in Articles 33 and 34
• D. The rights granted to data subjects under Articles 12 to 22

Answer: D

NEW QUESTION 18
......