CIPP-E Free Practice Test

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

1. A. When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.
2. B. When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.
3. C. When the controller is required to have a Data Protection Officer.
4. D. When personal data is being transferred outside of the EEA.

Correct Answer: C

Many businesses print their employees’ photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

1. A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
2. B. Because photographs qualify as biometric data only when they undergo a “specific technical processing”.
3. C. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
4. D. Because photographic ID is a physical security measure which is “necessary for reasons of substantial public interest”.

Correct Answer: B
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov GenNonProfit (11)

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

1. A. Within 40 days of receipt
2. B. Within 40 days of receipt, which may be extended by up to 40 additional days
3. C. Within one month of receipt, which may be extended by up to an additional month
4. D. Within one month of receipt, which may be extended by an additional two months

Correct Answer: C

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

1. A. Incidents of personal data breaches, whether disclosed or not.
2. B. Data inventory or data mapping exercises that have been conducted.
3. C. Categories of recipients to whom the personal data have been disclosed.
4. D. Retention periods for erasure and deletion of categories of personal data.

Correct Answer: D

Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

1. A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
2. B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
3. C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
4. D. Personal data of EU residents being processed by a non-EU business that targets EU customers.

Correct Answer: B