CIPP-E Practice Test

Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own
business for two years. Brady’s business provides a low-cost suite of services to customers
throughout the European Economic Area (EEA). The services are targeted towards new
and aspiring small business owners. Brady’s company, called Brady Box, provides web
page design services, a Social Networking Service (SNS) and consulting services that help
people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna
recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to
public viewing. Although she realized her mistake two weeks later and removed the
document, Anna is holding Brady Box responsible for not noticing the error through regular
monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was
transferred to a third- party contractor called Hermes Designs and worries that sensitive
information regarding his business plans may be misused. Brady does not believe he
violated European privacy rules. He provides a privacy notice to all of his customers
explicitly stating that personal data may be transferred to specific third parties in fulfillment
of a requested service. Felipe says he read the privacy notice but that it was long and
complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally
vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative
to create sample customized banner advertisements for customers like Felipe. Brady is
happy to provide a link to the example banner ads, now posted on the Hermes Designs
webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation
by him is being used within a graphic collage on Brady Box’s home webpage. The
quotation is attributed to Serge by first and last name. Brady, however, was not worried
about any sort of litigation. He wrote back to Serge to let him know that he found the
quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had
posted the quotation. In his response, Brady did offer to remove the quotation as a
courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements
his income through online behavioral advertising (OBA) via a third-party ad network with
whom he has set clearly defined roles. Brady is pleased that, although some customers are
not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason
Serge may have grounds to object to the use of his quotation?

A.

Because of the misrepresentation of personal data as an endorsement.

B.

Because of the juxtaposition of the quotation with others’ quotations.

C.

Because of the use of personal data outside of the social networking service (SNS).

D.

Because of the misapplication of the household exception in relation to a social
networking service (SNS).

Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices
throughout the United States, Asia, and Europe (including Germany, Italy, France and
Portugal). Last year the company was the victim of a phishing attack that resulted in a
significant data breach. The executive board, in coordination with the general manager,
their Privacy Office and the Information Security team, resolved to adopt additional security
measures. These included training awareness programs, a cybersecurity audit, and use of
a new software tool called SecurityScan, which scans employees’ computers to see if they
have software that is no longer being supported by a vendor and therefore not getting
security updates. However, this software also provides other features, including the
monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office
decided to issue a general notice to all employees indicating that the company will
implement a series of initiatives to enhance information security and prevent future data
breaches.
After the implementation of these measures, server performance decreased. The general
manager instructed the Security team on how to use SecurityScan to monitor employees’
computers activity and their location. During these activities, the Information Security team
discovered that one employee from Italy was daily connecting to a video library of movies,
and another one from Germany worked remotely without authorization. The Security team
reported these incidents to the Privacy Office and the general manager. In their report, the
team concluded that the employee from Italy was the reason why the server performance
decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary
measures to both employees, since the security and privacy policy of the company
prohibited employees from installing software on the company’s computers, and from
working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of
their data and their privacy rights, what information should Building Block have provided
them before implementing the security measures?

A.

AInformation about what is specified in the employment contract.

B.

Information about who employees should contact with any queries.

C.

Information about how providing consent could affect them as employees.

D.

Information about how the measures are in the best interests of the company.

 

In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

A.

When she is leaving her bank and moving to another bank.

B.

When she has recently changed jobs and no longer works for the same company.

C.

When she disagrees with a diagnosis her doctor has recorded on her records.

D.

When she no longer wishes to be sent marketing materials from an organization.

In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) 
reaffirmed the importance of using a “layered notice” to provide data subjects with what?

A.

A privacy notice containing brief information whilst offering access to further detail.

B.

A privacy notice explaining the consequences for opting out of the use of cookies on a website.

C.

An explanation of the security measures used when personal data is transferred to a third party.

D.

An efficient means of providing written consent in member states where they are required to do so.

A well-known video production company, based in Spain but specializing in documentaries
filmed worldwide, has just finished recording several hours of footage featuring senior
citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

A.

If obtaining consent is deemed to involve disproportionate effort.

B.

If obtaining consent is deemed voluntary by local legislation.

C.

CIf the company limits the footage to data subjects solely of legal age.

D.

If the company’s status as a documentary provider allows it to claim legitimate interest.