CIPP-E Free Practice Test

What type of data lies beyond the scope of the General Data Protection Regulation?

1. A. Pseudonymized
2. B. Anonymized
3. C. Encrypted
4. D. Masked

Correct Answer: B

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

1. A. A postal notification
2. B. A direct electronic message
3. C. A notice on a corporate blog
4. D. A prominent advertisement in print media

Correct Answer: C

A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

1. A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
2. B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
3. C. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.
4. D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.

Correct Answer: B

Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

1. A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
2. B. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.
3. C. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
4. D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

Correct Answer: D

SCENARIO
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.
Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?

1. A. Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history.
2. B. Only the security measures assessed by BHealthy prior to entering into the data processing contract.
3. C. Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.
4. D. The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject’s purchase history.

Correct Answer: A