Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own
business for two years. Brady’s business provides a low-cost suite of services to customers
throughout the European Economic Area (EEA). The services are targeted towards new
and aspiring small business owners. Brady’s company, called Brady Box, provides web
page design services, a Social Networking Service (SNS) and consulting services that help
people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna
recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to
public viewing. Although she realized her mistake two weeks later and removed the
document, Anna is holding Brady Box responsible for not noticing the error through regular
monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was
transferred to a third- party contractor called Hermes Designs and worries that sensitive
information regarding his business plans may be misused. Brady does not believe he
violated European privacy rules. He provides a privacy notice to all of his customers
explicitly stating that personal data may be transferred to specific third parties in fulfillment
of a requested service. Felipe says he read the privacy notice but that it was long and
complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally
vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative
to create sample customized banner advertisements for customers like Felipe. Brady is
happy to provide a link to the example banner ads, now posted on the Hermes Designs
webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation
by him is being used within a graphic collage on Brady Box’s home webpage. The
quotation is attributed to Serge by first and last name. Brady, however, was not worried
about any sort of litigation. He wrote back to Serge to let him know that he found the
quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had
posted the quotation. In his response, Brady did offer to remove the quotation as a
courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements
his income through online behavioral advertising (OBA) via a third-party ad network with
whom he has set clearly defined roles. Brady is pleased that, although some customers are
not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason
Serge may have grounds to object to the use of his quotation?

A.

Because of the misrepresentation of personal data as an endorsement.

B.

Because of the juxtaposition of the quotation with others’ quotations.

C.

Because of the use of personal data outside of the social networking service (SNS).

D.

Because of the misapplication of the household exception in relation to a social
networking service (SNS).

Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices
throughout the United States, Asia, and Europe (including Germany, Italy, France and
Portugal). Last year the company was the victim of a phishing attack that resulted in a
significant data breach. The executive board, in coordination with the general manager,
their Privacy Office and the Information Security team, resolved to adopt additional security
measures. These included training awareness programs, a cybersecurity audit, and use of
a new software tool called SecurityScan, which scans employees’ computers to see if they
have software that is no longer being supported by a vendor and therefore not getting
security updates. However, this software also provides other features, including the
monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office
decided to issue a general notice to all employees indicating that the company will
implement a series of initiatives to enhance information security and prevent future data
breaches.
After the implementation of these measures, server performance decreased. The general
manager instructed the Security team on how to use SecurityScan to monitor employees’
computers activity and their location. During these activities, the Information Security team
discovered that one employee from Italy was daily connecting to a video library of movies,
and another one from Germany worked remotely without authorization. The Security team
reported these incidents to the Privacy Office and the general manager. In their report, the
team concluded that the employee from Italy was the reason why the server performance
decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary
measures to both employees, since the security and privacy policy of the company
prohibited employees from installing software on the company’s computers, and from
working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of
their data and their privacy rights, what information should Building Block have provided
them before implementing the security measures?

A.

AInformation about what is specified in the employment contract.

B.

Information about who employees should contact with any queries.

C.

Information about how providing consent could affect them as employees.

D.

Information about how the measures are in the best interests of the company.

In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

A.

When she is leaving her bank and moving to another bank.

B.

When she has recently changed jobs and no longer works for the same company.

C.

When she disagrees with a diagnosis her doctor has recorded on her records.

D.

When she no longer wishes to be sent marketing materials from an organization.

In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) 
reaffirmed the importance of using a “layered notice” to provide data subjects with what?

A.

A privacy notice containing brief information whilst offering access to further detail.

B.

A privacy notice explaining the consequences for opting out of the use of cookies on a website.

C.

An explanation of the security measures used when personal data is transferred to a third party.

D.

An efficient means of providing written consent in member states where they are required to do so.

A well-known video production company, based in Spain but specializing in documentaries
filmed worldwide, has just finished recording several hours of footage featuring senior
citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

A.

If obtaining consent is deemed to involve disproportionate effort.

B.

If obtaining consent is deemed voluntary by local legislation.

C.

CIf the company limits the footage to data subjects solely of legal age.

D.

If the company’s status as a documentary provider allows it to claim legitimate interest.

Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in
France, but hosts its website through a company in Switzerland. As part of their service,
WonderKids will pass all personal data provided to them to the childcare provider booked
through their system. The type of personal data collected on the website includes the name
of the person booking the childcare, address and contact details, as well as information
about the children to be cared for including name, age, gender and health information. The
privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your
childcare provider for scheduling and health and safety reasons. We may also use your
and your child’s personal information for our own legitimate business purposes and we
employ a third-party website hosting company located in Switzerland to store the data. Any
data stored on equipment located in Switzerland meets the European Commission
provisions for guaranteeing adequate safeguards for you and your child’s personal
information. We will only share you and your child’s personal information with businesses
that we see as adding real value to you. By providing us with any personal data, you
consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at
which point the data will be depersonalized, unless your personal information is being used
for a legitimate business purpose beyond 28 days where it may be retained for up to 2
years.”
“We are processing you and your child’s personal information with your consent. If you
choose not to provide certain information to us, you may not be able to use our services.
You have the right to: request access to
you and your child’s personal information; rectify or erase you or your child’s personal
information; the right to correction or erasure of you and/or your child’s personal
information; object to any processing of you and your child’s personal information. You also
have the right to complain to the supervisory authority about our data processing activities.”
What additional information must Wonderkids provide in their Privacy Statement?

A.

How often promotional emails will be sent.

B.

Contact information of the hosting company.

C.

The categories of recipients with whom data will be shared.

D.

The categories of recipients with whom data will be shared.

Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with
each other, in order to integrate their marketing efforts. Additionally, they agree on the data
to be stored, how reservations will be booked and confirmed, and who has access to the
stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency
to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that
allows customers to sign up to accumulate points that can later be redeemed for free travel.
Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He
sends an email requesting access to his data, in order to exercise what he believes are his
data subject rights.
What is the time period in which Mike should receive a response to his request?

A.

Not more than one month of receipt of Mike’s request.

B.

Not more than two months after verifying Mike’s identity.

C.

When all the information about Mike has been collected.

D.

Not more than thirty days after submission of Mike’s request.

Which of the following would require designating a data protection officer?

A.

Procssing is carried out by an organization employing 250 persons or more.

B.

Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.

C.

The core activities of the controller or processor consist of processing operations of
financial information or information relating to children.

D.

The core activities of the controller or processor consist of processing operations that
require systematic monitoring of data subjects on a large scale

When would a data subject NOT be able to exercise the right to portability?

A.

When the processing is necessary to perform a task in the exercise of authority vested in the controller.

B.

Whn the processing is carried out pursuant to a contract with the data subject.

C.

When the data was supplied to the controller by the data subject.

D.

When the processing is based on consent.

Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in
France, but hosts its website through a company in Switzerland. As part of their service,
WonderKids will pass all personal data provided to them to the childcare provider booked
through their system. The type of personal data collected on the website includes the name
of the person booking the childcare, address and contact details, as well as information
about the children to be cared for including name, age, gender and health information. The
privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your
childcare provider for scheduling and health and safety reasons. We may also use your
and your child’s personal information for our own legitimate business purposes and we
employ a third-party website hosting company located in Switzerland to store the data. Any
data stored on equipment located in Switzerland meets the European Commission
provisions for guaranteeing adequate safeguards for you and your child’s personal
information. We will only share you and your child’s personal information with businesses
that we see as adding real value to you. By providing us with any personal data, you
consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at
which point the data will be depersonalized, unless your personal information is being used
for a legitimate business purpose beyond 28 days where it may be retained for up to 2
years.”
“We are processing you and your child’s personal information with your consent. If you
choose not to provide certain information to us, you may not be able to use our services.
You have the right to: request access to you and your child’s personal information; rectify
or erase you or your child’s personal information; the right to correction or erasure of you
and/or your child’s personal information; object to any processing of you and your child’s
personal information. You also have the right to complain to the supervisory authority about
our data processing activities.”
What direct marketing information can WonderKids send by email without prior consent of
the person booking the childcare?

A.

No marketing information at all.

B.

Any marketing information at all.

C.

Marketing information related to other business operations of WonderKids.

D.

Marketing information for products or services similar to those purchased from
WonderKids.