CIPP-E Free Practice Test

According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?

1. A. Where the technology supporting the website is located
2. B. Where the website is accessed
3. C. Where the decisions about processing are made
4. D. Where the customer’s Internet service provider is located

Correct Answer: D

The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

1. A. The recipients or categories of recipients.
2. B. The categories of personal data concerned.
3. C. The rights of access, erasure, restriction, and portability.
4. D. The right to lodge a complaint with a supervisory authority.

Correct Answer: B

Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

1. A. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
2. B. The name/s of relevant government agencies involved and the steps needed for revising the data.
3. C. The identity and contact details of the controller and the reasons the data is being collected.
4. D. The contact information of the controller and a description of the retention policy.

Correct Answer: C

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

1. A. Inform the subjects about the collection
2. B. Provide a public notice regarding the data
3. C. Upgrade security to match that of the source
4. D. Update the data within a reasonable timeframe

Correct Answer: A

Which of the following is one of the supervisory authority’s investigative powers?

1. A. To notify the controller or the processor of an alleged infringement of the GDPR.
2. B. To require that controllers or processors adopt approved data protection certification mechanisms.
3. C. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
4. D. To require data controllers to provide them with written notification of all new processing activities.

Correct Answer: A