WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’
provides examples of ways to communicate data breaches transparently. Which of the
following was listed as a method that would NOT be effective for communicating a breach
to data subjects?

A.

A postal notification

B.

A direct electronic message

C.

A notice on a corporate blog

D.

A prominent advertisement in print media

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

A.

A postal notification

B.

A direct electronic message

C.

A notice on a corporate blog

D.

A prominent advertisement in print media

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

A.

Inform the subjects about the collection

B.

Provide a public notice regarding the data

C.

Upgrade security to match that of the source

D.

Update the data within a reasonable timeframe

Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded
its presence in Europe. Anxious to achieve market dominance, Liem teamed up with
another eco friendly company, EcoMick, which sells accessories like belts and bags.
Together the companies drew up a series of marketing campaigns designed to highlight the
environmental and economic benefits of their products. After months of planning, Liem and
EcoMick entered into a data sharing agreement to use the same marketing database,
MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms
of which included processing personal data only upon Liem and EcoMick’s instructions,
and making available to them all information necessary to demonstrate compliance with
GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing
optimization firm that uses machine learning to help companies run successful campaigns.
Clients provide JaphSoft with the personal data of individuals they would like to be targeted
in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems
appropriate. JaphSoft works to continually improve its machine learning models by
analyzing the data it receives from its clients to determine the most successful components
of a successful campaign. JaphSoft then uses such models in providing services to its
client-base. Since the models improve only over a period of time as more information is
collected, JaphSoft does not have a deletion process for the data it receives from clients.
However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the
personal data by removing identifying
information from the contact information. JaphSoft’s engineers, however, maintain all
contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which
included contact information as well as prior purchase history for such contacts, to create
campaigns that would result in the most views of the two companies’ websites. A prior Liem
customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as
well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive
information in the future regarding Liem’s products, she has never shopped EcoMick, nor
provided her personal data to that company.
Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions EXCEPT?

A.

Processing the personal data upon documented instructions regarding data transfers outside of the EEA.

B.

Notification regarding third party requests for access to Liem and EcoMick’s personal data.

C.

Assistance to Liem and EcoMick in their compliance with data protection impact assessments.

D.

Returning or deleting personal data after the end of the provision of the services.

Please use the following to answer the next QUESTION NO:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal
injury. Louis has heard about insurance companies selling customers’ data to third parties,
and he’s convinced that Accidentable must have gotten his information from Bedrock
Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock,
trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and
has been shocked to find that other insurers offer much cheaper rates than Bedrock, even
though he has been a loyal customer for many years. When his Bedrock policy comes up
In order to activate his new insurance policy, Louis needs to supply Zantrum with
information about his No Claims bonus, his vehicle and his driving history. After
researching his rights under the GDPR, he writes to ask Bedrock to transfer his information
directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his
personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his
No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is
not technically feasible. Bedrock also explains that Louis’s contract included a provision
whereby Louis agreed that his data could be used for marketing purposes; according to
Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he
recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He
writes to Accidentable to ask for the name of the organization that supplied his details to
them. He warns Accidentable that he plans to complain to the data protection authority,
because he thinks their company has been using his data unlawfully. His letter states that
he does not want his data being used by them in any way.
Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock
Insurance’s wholly owned subsidiary, and they received information about Louis’s accident
from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis
that there has been no breach of the GDPR, as Louis’s contract included, a provision in
which he agreed to share his information with Bedrock’s affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them
insisting that all his information be erased from their computer system.
Based on the GDPR’s position on the use of personal data for direct marketing purposes,
which of the following is true about Louis’s rights as a data subject?

A.

Louis does not have the right to object to the use of his data because he previously consented to it.

B.

Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

C.

Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.

D.

Louis does not have the right to object to the use of his data if Bedrock can demonstrate

What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

A.

ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.

B.

CJEU can force national governments to implement and honor EU law, while the ECHR cannot.

C.

CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.

D.

ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

A.

The authority by which the controller is collecting the data and the third parties to whom the data will be sent.

B.

The name/s of relevant government agencies involved and the steps needed for revising the data.

C.

The identity and contact details of the controller and the reasons the data is being collected.

D.

The contact information of the controller and a description of the retention policy.

Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it
is a multi-billion-dollar candy company operating in every continent. All of the company’s IT
servers are located in Vermont. This year Joe hires his son Ben to join the company and
head up Project Big, which is a major marketing strategy to triple gross revenue in just 5
years. Ben graduated with a PhD in computer software from a top university. Ben decided
to join his father’s company, but is also secretly working on launching a new global online
dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that
many of them might also be interested in finding their perfect match. For Project Big, Ben
redesigns the company’s online web portal and requires customers in the European Union
and elsewhere to provide additional personal information in order to remain a customer.
Project Ben begins collecting data about customers’ philosophical beliefs, political opinions
and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto
a separate database for Ben Knows Best. Ben believes that he is not doing anything
wrong, because he explicitly asks each customer to give their consent by requiring them to
check a box before accepting their information. As Project Big is an important project, the
company also hires a first year college student named Sam, who is studying computer
science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on
going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer
information of people that reside in Ireland so that he and his friends can contact people
when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the
U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she
does some research on it. Alice approaches Joe and informs him that she has drafted up
Binding Corporate Rules for everyone in the company to follow, as it is important for the
company to have in place a legal mechanism to transfer data internally from the company’s
operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge
of handling a major lawsuit that has been brought against the company in federal court in
the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make
copies of the computer hard drives from the entire global sales team, including the
European Union, and send everything to her so that she can review everyone’s
information. Alice believes that Joe will be happy that she did the first level review, as it will
save the company a lot of money that would otherwise be paid to its outside law firm.
When Ben had the company collect additional data from its customers, the most serious
violation of the GDPR occurred because the processing of the data created what?

A.

An information security risk by copying the data into a new database.

B.

A potential legal liability and financial exposure from its customers.

C.

A significant risk to the customers’ fundamental rights and freedoms.

D.

A significant risk due to the lack of an informed consent mechanism.

The GDPR forbids the practice of “forum shopping”, which occurs when companies do
what?

A.

Choose the data protection officer that is most sympathetic to their business concerns.

B.

Designate their main establishment in member state with the most flexible practices.

C.

File appeals of infringement judgments with more than one EU institution
simultaneously.

D.

Select third-party processors on the basis of cost rather than quality of privacy
protection.

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

A.

Inform the data subject of the security measures in place.

B.

Ensure that the receiving entity has signed a data processing agreement.

C.

Encrypt the transferred data in transit and at rest.

D.

Conduct a data protection impact assessment.