NEW QUESTION 1
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly
owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

• A. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
• B. If Accidentable also uses the data to conduct public health research.
• C. If the data becomes necessary to defend Accidentable’s legal rights.
• D. If the accuracy of the data is not an aspect that Louis is disputing.

Answer: A

NEW QUESTION 2
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

• A. When the data is to be processed for market research.
• B. When providing preventive or counselling services to the child.
• C. When providing the child with materials purely for educational use.
• D. When a legitimate business interest makes obtaining consent impractical.

Answer: B

NEW QUESTION 3
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

• A. The group of undertakings must obtain approval from a supervisory authority.
• B. The group of undertakings must be comprised of organizations of similar sizes and functions.
• C. The data protection officer must be located in the country where the data controller has its main establishment.
• D. The data protection officer must be easily accessible from each establishment where the undertakings are located.

Answer: D

NEW QUESTION 4
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

• A. The obligation of companies to declare data breaches.
• B. The requirement to demonstrate compliance to a supervisory authority.
• C. The necessity of the bulk collection of personal data by the government.

Answer: B

NEW QUESTION 5
An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?

• A. Notify affected individuals that their data was unavailable for a period of time.
• B. Document the loss of availability to demonstrate accountability
• C. Notify the supervisory authority about the loss of availability
• D. Conduct a thorough audit of all security systems

Answer: C

NEW QUESTION 6
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

• A. Both govern international transfers of personal data
• B. Both govern the manual processing of personal data
• C. Both only apply to European Union countries
• D. Both require notification of processing activities to a supervisory authority

Answer: D

NEW QUESTION 7
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop’s PRIMARY obligation while engaging in this kind of profiling?

• A. It must solicit informed consent through a notice on its website
• B. It must seek authorization from the European supervisory authorities
• C. It must be able to demonstrate a prior business relationship with the customers
• D. It must prove that it uses sufficient security safeguards to protect customer data

Answer: A

NEW QUESTION 8
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

• A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.
• B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.
• C. Demonstrate that the profiling is for the purposes of direct marketing.
• D. Consider the importance of the profiling to their particular objective.

Answer: C

NEW QUESTION 9
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

• A. Approved data controllers.
• B. The Council of the European Union.
• C. National data protection authorities.
• D. The European Data Protection Supervisor.

Answer: A

NEW QUESTION 10
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

• A. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
• B. Requesting advice and technical support from Company A’s IT team.
• C. Avoiding the use of another company’s data to improve their own services.
• D. Vetting companies’ measures with the appropriate supervisory authority.

Answer: A

NEW QUESTION 11
A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

• A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
• B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
• C. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.
• D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.

Answer: B

NEW QUESTION 12
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

• A. The requirements affected individuals without exception.
• B. The requirements were financially burdensome to EU businesses.
• C. The requirements specified that data must be held within the EU.
• D. The requirements had limitations on how national authorities could use data.

Answer: D

NEW QUESTION 13
How does the GDPR now define “processing”?

• A. Any act involving the collecting and recording of personal data.
• B. Any operation or set of operations performed on personal data or on sets of personal data.
• C. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
• D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Answer: A

NEW QUESTION 14
Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection laws throughout the European Union?

• A. That it essentially functions as a one-stop shop mechanism
• B. That it takes the form of a Regulation as opposed to a Directive
• C. That it makes notification of large-scale data breaches mandatory
• D. That it makes appointment of a data protection officer mandatory

Answer: D

NEW QUESTION 15
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-C raze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Which of the following is T-Craze’s lead supervisory authority?

• A. Germany, because that is where T-Craze is headquartered.
• B. France, because that is where T-Craze conducts processing of personal information.
• C. Spain, because that is T-Craze’s primary market based on its marketing campaigns.
• D. T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.

Answer: C

NEW QUESTION 16
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

• A. Inform the subjects about the collection
• B. Provide a public notice regarding the data
• C. Upgrade security to match that of the source
• D. Update the data within a reasonable timeframe

Answer: A

NEW QUESTION 17
Which of the following would most likely NOT be covered by the definition of “personal data” under the GDPR?

• A. The payment card number of a Dutch citizen
• B. The U.
• C. social security number of an American citizen living in France
• D. The unlinked aggregated data used for statistical purposes by an Italian company
• E. The identification number of a German candidate for a professional examination in Germany

Answer: D

NEW QUESTION 18
......