The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?
A.
The recipients or categories of recipients.
B.
The categories of personal data concerned.
C.
The rights of access, erasure, restriction, and portability.
D.
The right to lodge a complaint with a supervisory authority.
The categories of personal data concerned.
B
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices
throughout the United States, Asia, and Europe (including Germany, Italy, France and
Portugal). Last year the company was the victim of a phishing attack that resulted in a
significant data breach. The executive board, in coordination with the general manager,
their Privacy Office and the Information Security team, resolved to adopt additional security
measures. These included training awareness programs, a cybersecurity audit, and use of
a new software tool called SecurityScan, which scans employees’ computers to see if they
have software that is no
longer being supported by a vendor and therefore not getting security updates. However,
this software also provides other features, including the monitoring of employees’
computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office
decided to issue a general notice to all employees indicating that the company will
implement a series of initiatives to enhance information security and prevent future data
breaches.
After the implementation of these measures, server performance decreased. The general
manager instructed the Security team on how to use SecurityScan to monitor employees’
computers activity and their location. During these activities, the Information Security team
discovered that one employee from Italy was daily connecting to a video library of movies,
and another one from Germany worked remotely without authorization. The Security team
reported these incidents to the Privacy Office and the general manager. In their report, the
team concluded that the employee from Italy was the reason why the server performance
decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary
measures to both employees, since the security and privacy policy of the company
prohibited employees from installing software on the company’s computers, and from
working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before
implementing the SecurityScan measure?
A.
Assessed potential privacy risks by conducting a data protection impact assessment.
B.
Consulted with the relevant data protection authority about potential privacy violations.
C.
Distributed a more comprehensive notice to employees and received their express consent.
D.
Consulted with the Information Security team to weigh security measures against possible server impacts.
Distributed a more comprehensive notice to employees and received their express consent.
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?
A.
A prior opt-in consent for consumers unless they are already customers.
B.
A pre-checked box stating that the consumer agrees to receive email marketing.
C.
A notice that the consumer’s email address will be used for marketing purposes.
D.
No prior permission required, but an opt-out requirement on all emails sent to
consumers.
A prior opt-in consent for consumers unless they are already customers.
Reference: https://www.forbes.com/sites/forbescommunicationscouncil/2018/06/27/whatgdpr-
means-for- email-marketing-to-eu-customers/#64020aa8374a
According to the GDPR, how is pseudonymous personal data defined?
A.
Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
B.
Data that can no longer be attributed to a specific data subject, with no possibility of reidentifying the data.
C.
Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
D.
Data that has been encrypted or is subject to other technical safeguards.
Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
Reference: https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
A.
Legislative powers.
B.
Corrective powers.
C.
Investigatory powers.
D.
Authorization and advisory powers.
Authorization and advisory powers.
Reference: https://www.privacy-regulation.eu/en/article-58-powers-GDPR.htm
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?
A.
Notify the appropriate data protection authority.
B.
Perform a data protection impact assessment (DPIA).
C.
Create an information retention policy for those who operate the system.
D.
Ensure that safeguards are in place to prevent unauthorized access to the footage.
Create an information retention policy for those who operate the system.
Which of the following is NOT recognized as being a common characteristic of cloudcomputing services?
A.
The service’s infrastructure is shared among the supplier’s customers and can be
located in a number of countries.
B.
The supplier determines the location, security measures, and service standards
applicable to the processing.
C.
The supplier allows customer data to be transferred around the infrastructure according to capacity.
D.
The supplier assumes the vendor’s business risk associated with data processed by the
supplier.
The supplier assumes the vendor’s business risk associated with data processed by the
supplier.
Reference: https://www.softwaremajor.com/news-articles/64-gdpr-how-does-it-apply-to-thecloud
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
A.
To create and maintain records of processing activities.
B.
To conduct Privacy Impact Assessments on behalf of the controller or processor.
C.
To monitor compliance with other local or European data protection provisions.
D.
To create procedures for notification of personal data breaches to competent
supervisory authorities.
To conduct Privacy Impact Assessments on behalf of the controller or processor.
Reference: https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-aboutnew-
role-required- gdpr-compliance
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection
Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
A.
The establishment of a list of legitimate data processing criteria
B.
The creation of legally binding data protection principles
C.
The synchronization of approaches to data protection
D.
The restriction of cross-border data flow
The restriction of cross-border data flow
Reference: https://ico.org.uk/media/about-the-ico/documents/1042349/review-of-eu-dpdirective.
pdf (99)
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data
protection, while Frank is a lecturer in the engineering department. The University
maintains a number of types of records:
Student records, including names, student numbers, home addresses, preuniversity
information, university attendance and performance records, details of
special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional
contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and
conferrals of degrees. These records are available to former students after
registering through Granchester’s Alumni portal. Department for Education
records, showing how certain demographic groups (such as first-generation
students) could be expected, on average, to progress. These records do not
contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records
in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students
perform in relational to Department for Education expectations. He has attended one of
Anna’s data protection training courses and knows that he should use no more personal
data than necessary to accomplish his goal. He creates a
program that will only export some student data: previous schools attended, grades
originally obtained, grades currently obtained and first time university attended. He wants to
keep the records at the individual student level. Mindful of Anna’s training, Frank runs the
student numbers through an algorithm to transform them into different reference numbers.
He uses the same algorithm on each occasion so that he can update each record over
time.
One of Anna’s tasks is to complete the record of processing activities, as required by the
GDPR. After receiving her email reminder, as required by the GDPR. After receiving her
email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check
that this new use
of existing data is permissible. She also suspects that, under the GDPR, a risk analysis
may have to be carried out before the data processing can take place. Anna arranges to
discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his
home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the
University he loses it on the train. Frank has to see Anna that day to discuss compatible
processing. He knows that he needs to report security incidents, so he decides to tell Anna
about his lost laptop at the same time.
Before Anna determines whether Frank’s performance database is permissible, what
additional information does she need?
A.
More information about Frank’s data protection training.
B.
More information about the extent of the information loss.
C.
More information about the algorithm Frank used to mask student numbers.
D.
More information about what students have been told and how the research will be used.
More information about what students have been told and how the research will be used.
Page 1 out of 21 Pages |