NEW QUESTION 1
Which of the following was the first to implement national law for data protection in 1973?

• A. France
• B. Sweden
• C. Germany
• D. United Kingdom

Answer: B

NEW QUESTION 2
Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which occurs when companies do what?

• A. Choose the data protection officer that is most sympathetic to their business concerns.
• B. Designate their main establishment in member state with the most flexible practices.
• C. File appeals of infringement judgments with more than one EU institution simultaneously.
• D. Select third-party processors on the basis of cost rather than quality of privacy protection.

Answer: B

NEW QUESTION 3
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily’s consent provision?

• A. It is not legal to include fields requiring information regarding health status without consent.
• B. Processing health data requires explicit consent, but the form does not ask for explicit consent.
• C. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
• D. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.

Answer: C

NEW QUESTION 4
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

• A. Accuracy
• B. Storage Limitation
• C. Integrity and confidentiality
• D. Lawfulness, fairness and transparency

Answer: C

NEW QUESTION 5
A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

• A. Inform the data subject of the security measures in place.
• B. Ensure that the receiving entity has signed a data processing agreement.
• C. Encrypt the transferred data in transit and at rest.
• D. Conduct a data protection impact assessment.

Answer: A

NEW QUESTION 6
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border
transfers?

• A. The European Commission can adopt an adequacy decision for individual companies.
• B. The European Commission can adopt, repeal or amend an existing adequacy decision.
• C. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
• D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

Answer: A

NEW QUESTION 7
The European Parliament jointly exercises legislative and budgetary functions with which of the following?

• A. The European Commission.
• B. The Article 29 Working Party.
• C. The Council of the European Union.
• D. The European Data Protection Board.

Answer: C

NEW QUESTION 8
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

• A. To create and maintain records of processing activities.
• B. To conduct Privacy Impact Assessments on behalf of the controller or processor.
• C. To monitor compliance with other local or European data protection provisions.
• D. To create procedures for notification of personal data breaches to competent supervisory authorities.

Answer: B

NEW QUESTION 9
What are the obligations of a processor that engages a sub-processor?

• A. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
• B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.
• C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
• D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Answer: C

NEW QUESTION 10
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being
used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

• A. The lack of the option to opt in.
• B. The level of security within the website.
• C. The contract with the third-party advertising network.
• D. The need to have the contents of the advertising approved.

Answer: A

NEW QUESTION 11
What obligation does a data controller or processor have after appointing a data protection officer?

• A. To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.
• B. To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.
• C. To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.
• D. To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

Answer: D

NEW QUESTION 12
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?

• A. The Directive was superseded by the EU Directive on Privacy and Electronic Communications.
• B. The Directive was superseded by the General Data Protection Regulation.
• C. The Directive was annulled by the Court of Justice of the European Union.
• D. The Directive was annulled by the European Court of Human Rights.

Answer: C

NEW QUESTION 13
When would a data subject NOT be able to exercise the right to portability?

• A. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
• B. When the processing is carried out pursuant to a contract with the data subject.
• C. When the data was supplied to the controller by the data subject.
• D. When the processing is based on consent.

Answer: A

NEW QUESTION 14
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

• A. Submit the contract to its own government authority.
• B. Ensure that notice is given to and consent is obtained from data subjects.
• C. Supply any information requested by a data protection authority (DPA) within 30 days.
• D. Ensure that local laws do not impede the company from meeting its contractual obligations.

Answer: A

NEW QUESTION 15
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

• A. Incidents of personal data breaches, whether disclosed or not.
• B. Data inventory or data mapping exercises that have been conducted.
• C. Categories of recipients to whom the personal data have been disclosed.
• D. Retention periods for erasure and deletion of categories of personal data.

Answer: D

NEW QUESTION 16
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a
multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

• A. Notify its Data Protection Authority about the data breach.
• B. Analyze and evaluate the liability for customers in Ireland.
• C. Analyze and evaluate all of its breach notification obligations.
• D. Notify all of its customers that reside in the European Union.

Answer: A

NEW QUESTION 17
Why is advisable to avoid consent as a legal basis for an employer to process employee data?

• A. Employee data can only be processed if there is an approval from the data protection officer.
• B. Consent may not be valid if the employee feels compelled to provide it.
• C. An employer might have difficulty obtaining consent from every employee.
• D. Data protection laws do not apply to processing of employee data.

Answer: A

NEW QUESTION 18
......