CIPP-E Practice Test

The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

A.

The recipients or categories of recipients.

B.

The categories of personal data concerned.

C.

The rights of access, erasure, restriction, and portability.

D.

The right to lodge a complaint with a supervisory authority.

Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices
throughout the United States, Asia, and Europe (including Germany, Italy, France and
Portugal). Last year the company was the victim of a phishing attack that resulted in a
significant data breach. The executive board, in coordination with the general manager,
their Privacy Office and the Information Security team, resolved to adopt additional security
measures. These included training awareness programs, a cybersecurity audit, and use of
a new software tool called SecurityScan, which scans employees’ computers to see if they
have software that is no
longer being supported by a vendor and therefore not getting security updates. However,
this software also provides other features, including the monitoring of employees’
computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office
decided to issue a general notice to all employees indicating that the company will
implement a series of initiatives to enhance information security and prevent future data
breaches.
After the implementation of these measures, server performance decreased. The general
manager instructed the Security team on how to use SecurityScan to monitor employees’
computers activity and their location. During these activities, the Information Security team
discovered that one employee from Italy was daily connecting to a video library of movies,
and another one from Germany worked remotely without authorization. The Security team
reported these incidents to the Privacy Office and the general manager. In their report, the
team concluded that the employee from Italy was the reason why the server performance
decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary
measures to both employees, since the security and privacy policy of the company
prohibited employees from installing software on the company’s computers, and from
working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before
implementing the SecurityScan measure?

A.

Assessed potential privacy risks by conducting a data protection impact assessment.

B.

Consulted with the relevant data protection authority about potential privacy violations.

C.

Distributed a more comprehensive notice to employees and received their express consent.

D.

Consulted with the Information Security team to weigh security measures against possible server impacts.

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A.

A prior opt-in consent for consumers unless they are already customers.

B.

A pre-checked box stating that the consumer agrees to receive email marketing.

C.

A notice that the consumer’s email address will be used for marketing purposes.

D.

No prior permission required, but an opt-out requirement on all emails sent to
consumers.

According to the GDPR, how is pseudonymous personal data defined?

A.

Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.

B.

Data that can no longer be attributed to a specific data subject, with no possibility of reidentifying the data.

C.

Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

D.

Data that has been encrypted or is subject to other technical safeguards.

Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

A.

Legislative powers.

B.

Corrective powers.

C.

Investigatory powers.

D.

Authorization and advisory powers.