Which of the following would most likely NOT be covered by the definition of “personal data” under the GDPR?
A.
The payment card number of a Dutch citizen
B.
The U.S. social security number of an American citizen living in France
C.
The unlinked aggregated data used for statistical purposes by an Italian company
D.
The identification number of a German candidate for a professional examination in Germany
The identification number of a German candidate for a professional examination in Germany
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last
few years. Their new manager, Oliver, suspects that this is partly due to the company’s
outdated website. After doing some research, he meets with a sales representative from
the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge
website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more
customer information through detailed Questionaires, which could be used to tailor their
preferences to specific travel destinations. TripBliss Inc. can choose any number of data
categories – age, income, ethnicity – that would help them best accomplish their goals.
Oliver loves this idea, but would also like to have some way of gauging how successful this
approach is, especially since the Questionaires will require customers to provide explicit
consent to having their data collected. The Techiva representative suggests that they also
run a program to analyze the new website’s traffic, in order to get a better understanding of
how customers are using it. He explains his plan
to place a number of cookies on customer devices. The cookies will allow the company to
collect IP addresses and other information, such as the sites from which the customers
came, how much time they spend on the TripBliss Inc. website, and which pages on the
site they visit. All of this information will be compiled in log files, which Techiva will analyze
by means of a special program. TripBliss Inc. would receive aggregate statistics to help
them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for
these services.
A.
Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
B.
Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
C.
Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
D.
Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.
Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
What was the aim of the European Data Protection Directive 95/46/EC?
A.
To harmonize the implementation of the European Convention of Human Rights across all member states.
B.
To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.
C.
To completely prevent the transfer of personal data out of the European Union.
D.
To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.
To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.
An unforeseen power outage results in company Z’s lack of access to customer data for six
hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP
29’s February, 2018 guidance, company Z should do which of the following?
A.
Notify affected individuals that their data was unavailable for a period of time.
B.
Document the loss of availability to demonstrate accountability
C.
Notify the supervisory authority about the loss of availability
D.
Conduct a thorough audit of all security systems
Notify the supervisory authority about the loss of availability
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded
its presence in Europe. Anxious to achieve market dominance, Liem teamed up with
another eco friendly company, EcoMick, which sells accessories like belts and bags.
Together the companies drew up a series of marketing campaigns designed to highlight the
environmental and economic benefits of their products. After months of planning, Liem and
EcoMick entered into a data sharing agreement to use the same marketing database,
MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms
of which included processing personal data only upon Liem and EcoMick’s instructions,
and making available to them all information necessary to demonstrate compliance with
GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns.
Clients provide JaphSoft with the personal data of individuals they would like to be targeted
in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems
appropriate. JaphSoft works to continually improve its machine learning models by
analyzing the data it receives from its clients to determine the most successful components
of a successful campaign. JaphSoft then uses such models in providing services to its
client-base. Since the models improve only over a period of time as more information is
collected, JaphSoft does not have a deletion process for the data it receives from clients.
However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the
personal data by removing identifying
information from the contact information. JaphSoft’s engineers, however, maintain all
contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which
included contact information as well as prior purchase history for such contacts, to create
campaigns that would result in the most views of the two companies’ websites. A prior Liem
customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as
well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive
information in the future regarding Liem’s products, she has never shopped EcoMick, nor
provided her personal data to that company.
JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?
A.
JaphSoft failed to first anonymize the personal data.
B.
JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
C.
JaphSoft was in possession of information that could be used to identify data subjects.
D.
JaphSoft failed to keep personally identifiable information in a separate database.
JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They
use an internet-based common platform for collecting and sharing their customer data with
each other, in order to integrate their marketing efforts. Additionally, they agree on the data
to be stored, how reservations will be booked and confirmed, and who has access to the
stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency
to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that
allows customers to sign up to accumulate points that can later be redeemed for free travel.
Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He
sends an email requesting access to his data, in order to exercise what he believes are his
data subject rights.
In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT
have to honor Mike’s data access request?
A.
The request is to obtain access and correct inaccurate personal data in his profile.
B.
The request is to obtain access and information about the purpose of processing his personal data.
C.
The request is to obtain access and erasure of his personal data while keeping his rewards membership.
D.
The request is to obtain access and the categories of recipients who have received his
personal data to process his rewards membership.
The request is to obtain access and erasure of his personal data while keeping his rewards membership.
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?
A.
Background checks on employees could be performed only under prior notice to all
employees.
B.
Background checks are only authorized with prior notice and express consent from all
employees including those based in Europe.
C.
Background checks on European employees will stem from data protection and
employment law, which can vary between member states.
D.
Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for
employment.
Background checks on European employees will stem from data protection and
employment law, which can vary between member states.
Reference: https://www.shrm.org/resourcesandtools/tools-and-samples/toolkits/pages/ conductingbackgroundinvestigations.aspx
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?
A.
Anonymizing special categories of data.
B.
Conducting regular audits of the data protection program.
C.
Getting consent from the data subject for a cross border data transfer.
D.
Encrypting data in transit and at rest using strong encryption algorithms
Conducting regular audits of the data protection program.
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU
member states, but for the purposes of the GDPR maintains its primary establishment in
France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the
border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was
photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the
time, Javier gave his consent to being included in the photograph, since he was told that it
would be used for promotional purposes only. Since then, the photograph has been used in
the club’s U.K. brochures, and it features in the landing page of its U.K. website. However,
the fitness club has recently fallen into disrepute due to widespread mistreatment of
members at various branches of the club in several EU member states. As a result, Javier
no longer feels comfortable with his photograph being publicly associated with the fitness
club.
After numerous failed attempts to book an appointment with the manager of the local
branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image
be removed from the website and all promotional materials. Months pass and Javier,
having received no acknowledgment of his request, becomes very anxious about this
matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides
to take action against the company.
Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory
authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the
GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment)
about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the
CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL
liaises with the ICO, as relevant under the cooperation procedure. In light of issues
amongst the supervisory authorities to reach a decision, the European Data Protection
Board becomes involved and, pursuant to the consistency mechanism, issues a binding
decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to
honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has
formed its view on the matter?
A.
Submit a draft decision to other supervisory authorities for their opinion.
B.
Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
C.
Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
D.
Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision
Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA
analysis. The company is headquartered in Montreal, and all of its employees are located
there. The company offers its services to Canadians only: Its website is in English and
French, it accepts only Canadian currency, and it blocks internet traffic from outside of
Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to
process orders that request the DNA report to be sent outside of Canada, and returns
orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU,
and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its
current Canadian customer base. The expansion will allow its Canadian customers to use
the app while traveling abroad. He suggests that the company use this app to gather
location information. If the plan shows promise, Bob proposes to use push notifications and
text messages to encourage existing customers to pre-register for an EU version of the
service. Bob calls this work plan, We-Text-U. Once the company has gathered enough preregistrations,
it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the
company’s app, like storage and sharing of DNA information with other applications and
medical providers. The company’s contract says that it can keep customer DNA
indefinitely, and use it to offer new services and market them to customers. It also says that
customers agree not to withdraw direct marketing consent. Paul, the marketing director,
suggests that the company should fully exploit these provisions, and that it can work
around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun
this process. It is in the process of purchasing the naming rights for a building in Germany,
which would come with a few offices that Who-R-U executives can use while traveling
internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply
a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held
unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of
Canada. The reports include customer name, birthdate, ethnicity, racial background,
names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?
A.
The company isn’t a controller established in the Union.
B.
The laptop belonged to a company located in Canada.
C.
The data isn’t considered personally identifiable financial information.
D.
There is no evidence that the thieves have accessed the data on the laptop.
The company isn’t a controller established in the Union.
Page 6 out of 21 Pages |
Previous |