Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it
is a multi-billion-dollar candy company operating in every continent. All of the company’s IT
servers are located in Vermont. This year Joe hires his son Ben to join the company and
head up Project Big, which is a major marketing strategy to triple gross revenue in just 5
years. Ben graduated with a PhD in computer software from a top university. Ben decided
to join his father’s company, but is also secretly working on launching a new global online
dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that
many of them might also be interested in finding their perfect match. For Project Big, Ben
redesigns the company’s online web portal and requires customers in the European Union
and elsewhere to provide additional personal information in order to remain a customer.
Project Ben begins collecting data about customers’ philosophical beliefs, political opinions
and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto
a separate database for Ben Knows Best. Ben believes that he is not doing anything
wrong, because he explicitly asks each customer to give their consent by requiring them to
check a box before accepting their information. As Project Big is an important project, the
company also hires a first year college student named Sam, who is studying computer
science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on
going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer
information of people that reside in Ireland so that he and his friends can contact people
when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the
U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she
does some research on it. Alice approaches Joe and informs him that she has drafted up
Binding Corporate Rules for everyone in the company to follow, as it is important for the
company to have in place a legal mechanism to transfer data internally from the company’s
operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge
of handling a major lawsuit that has been brought against the company in federal court in
the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make
copies of the computer hard drives from the entire global sales team, including the
European Union, and send everything to her so that she can review everyone’s
information. Alice believes that Joe will be happy that she did the first level review, as it will
save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT
Department violated Article 5 of the GDPR because the company failed to first do what?
A.
Send out consent forms to all of its employees.
B.
Minimize the amount of data collected for the lawsuit.
C.
Inform all of its employees about the lawsuit.
D.
Encrypt the data from all of its employees.
Minimize the amount of data collected for the lawsuit.
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
A.
The controller will be liable to pay an administrative fine
B.
The processor will be liable to pay compensation to affected data subjects
C.
The processor will be considered to be a controller in respect of the processing
concerned
D.
The controller will be required to demonstrate that the unauthorized processing
negatively affected one or more of the parties involved
The processor will be liable to pay compensation to affected data subjects
Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-
data-protection- regulation-gdpr/key-definitions/controllers-and-processors/
If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?
A.
1 month.
B.
3 months.
C.
5 months.
D.
12 months.
3 months.
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll
function to Company B. Company B is an established payroll service provider with a
sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and
attendance data obtained via a biometric entry system installed in each of Company A’s
factories. Company B won’t hold any biometric data itself, but the related data will be
uploaded to Company B’s UK servers and used to provide the payroll service. Company
B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A
needs to carry out a data protection impact assessment in relation to the new time and
attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written
agreement requiring Company B to use the time and attendance data only for the purpose
of providing the payroll service, and to apply appropriate technical and organizational
security measures for safeguarding the data. Jenny suggests that Company B obtain
advice from its data protection officer. The company doesn’t have a DPO but agrees, in the
interest of finalizing the contract, to sign up for the provisions in full. Company A enters into
the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a
separate project meant to enhance the functionality of its payroll service, and engages
Company C to help. Company C agrees to extract all personal data from Company B’s live
systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server.
The two companies agree not to include any data processing provisions in their services
agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security
system, and suffers a cyber security incident soon after Company C begins work on the
project. As a result, data relating to Company A’s employees is visible to anyone visiting
Company C’s website. Company A is unaware of this until Jenny receives a letter from the
supervisory authority in connection with the investigation that ensues. As soon as Jenny is
made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company’s ability to implement adequate
technical and organizational measures. What would be the most realistic way that
Company B could have fulfilled this requirement?
A.
Hiring companies whose measures are consistent with recommendations of accrediting bodies.
B.
Requesting advice and technical support from Company A’s IT team.
C.
Avoiding the use of another company’s data to improve their own services.
D.
Vetting companies’ measures with the appropriate supervisory authority.
Hiring companies whose measures are consistent with recommendations of accrediting bodies.
Reference: https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/
Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?
A.
Court of Auditors
B.
Court of Justice of European Union
C.
European Court of Human Rights
D.
European Data Protection Board
Court of Justice of European Union
Select the answer below that accurately completes the following:
“The right to compensation and liability under the GDPR…
A.
…provides for an exemption from liability if the data controller (or data processor) proves
that it is not in any way responsible for the event giving rise to the damage.”
B.
…precludes any subsequent recourse proceedings against other controllers or
processors involved in the same processing.”
C.
...can only be exercised against the data controller, even if a data processor was involved in the same processing.”
D.
…is limited to a maximum amount of EUR 20 million per event of damage or loss.”
…precludes any subsequent recourse proceedings against other controllers or
processors involved in the same processing.”
Reference: https://gdpr-info.eu/art-82-gdpr/
Why is advisable to avoid consent as a legal basis for an employer to process employee data?
A.
Employee data can only be processed if there is an approval from the data protection officer.
B.
Consent may not be valid if the employee feels compelled to provide it.
C.
An employer might have difficulty obtaining consent from every employee.
D.
Data protection laws do not apply to processing of employee data
Employee data can only be processed if there is an approval from the data protection officer.
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in
France, but hosts its website through a company in Switzerland. As part of their service,
WonderKids will pass all personal data provided to them to the childcare provider booked
through their system. The type of personal data collected on the website includes the name
of the person booking the childcare, address and contact details, as well as information
about the children to be cared for including name, age, gender and health information. The
privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your
childcare provider for scheduling and health and safety reasons. We may also use your
and your child’s personal information for our own legitimate business purposes and we
employ a third-party website hosting company located in Switzerland to store the data. Any
data stored on equipment located in Switzerland meets the European Commission
provisions for guaranteeing adequate safeguards for you and your child’s personal
information. We will only share you and your child’s personal information with businesses
that we see as adding real value to you. By providing us with any personal data, you
consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at
which point the data will be depersonalized, unless your personal information is being used
for a legitimate business purpose beyond 28 days where it may be retained for up to 2
years.”
“We are processing you and your child’s personal information with your consent. If you
choose not to provide certain information to us, you may not be able to use our services.
You have the right to: request access to you and your child’s personal information; rectify
or erase you or your child’s personal information; the right to correction or erasure of you
and/or your child’s personal information; object to any processing of you and your child’s
personal information. You also have the right to complain to the supervisory authority about
our data processing activities.”
What must the contract between WonderKids and the hosting service provider contain?
A.
The requirement to implement technical and organizational measures to protect the data.
B.
-to-controller model contract clauses.
C.
CAudit rights for the data subjects.
D.
A non-disclosure agreement.
The requirement to implement technical and organizational measures to protect the data.
In which situation would a data controller most likely be able to justify the processing of the
data of a child without parental consent?
A.
When the data is to be processed for market research.
B.
When providing preventive or counselling services to the child.
C.
When providing the child with materials purely for educational use.
D.
When a legitimate business interest makes obtaining consent impractical.
When providing preventive or counselling services to the child.
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?
A.
If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
B.
When it has been determined that adequate protection can be performed.
C.
Only if the Data Protection Impact Assessment (DPIA) shows low risk.
D.
Only as a last resort and when interpreted restrictively.
When it has been determined that adequate protection can be performed.
Page 4 out of 21 Pages |
Previous |