CIPP-E Free Practice Test

In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

1. A. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
2. B. Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce.
3. C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
4. D. Where the DPIA identifies risks that will require insurance for protecting its business interests.

Correct Answer: B

Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

1. A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.
2. B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.
3. C. Demonstrate that the profiling is for the purposes of direct marketing.
4. D. Consider the importance of the profiling to their particular objective.

Correct Answer: C

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

1. A. Both govern international transfers of personal data
2. B. Both govern the manual processing of personal data
3. C. Both only apply to European Union countries
4. D. Both require notification of processing activities to a supervisory authority

Correct Answer: D

Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

1. A. Greece
2. B. Norway
3. C. Australia
4. D. Switzerland

Correct Answer: D

An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

1. A. Use a layered privacy notice on its website and in its email communications.
2. B. Identify uses of data in a privacy notice mailed to the data subject.
3. C. Provide only general information about its processing activities and offer a toll-free number for more information.
4. D. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

Correct Answer: B