CIPP-E Practice Test

Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it
is a multi-billion-dollar candy company operating in every continent. All of the company’s IT
servers are located in Vermont. This year Joe hires his son Ben to join the company and
head up Project Big, which is a major marketing strategy to triple gross revenue in just 5
years. Ben graduated with a PhD in computer software from a top university. Ben decided
to join his father’s company, but is also secretly working on launching a new global online
dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that
many of them might also be interested in finding their perfect match. For Project Big, Ben
redesigns the company’s online web portal and requires customers in the European Union
and elsewhere to provide additional personal information in order to remain a customer.
Project Ben begins collecting data about customers’ philosophical beliefs, political opinions
and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto
a separate database for Ben Knows Best. Ben believes that he is not doing anything
wrong, because he explicitly asks each customer to give their consent by requiring them to
check a box before accepting their information. As Project Big is an important project, the
company also hires a first year college student named Sam, who is studying computer
science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on
going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer
information of people that reside in Ireland so that he and his friends can contact people
when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the
U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she
does some research on it. Alice approaches Joe and informs him that she has drafted up
Binding Corporate Rules for everyone in the company to follow, as it is important for the
company to have in place a legal mechanism to transfer data internally from the company’s
operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge
of handling a major lawsuit that has been brought against the company in federal court in
the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make
copies of the computer hard drives from the entire global sales team, including the
European Union, and send everything to her so that she can review everyone’s
information. Alice believes that Joe will be happy that she did the first level review, as it will
save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT
Department violated Article 5 of the GDPR because the company failed to first do what?

A.

Send out consent forms to all of its employees.

B.

Minimize the amount of data collected for the lawsuit.

C.

Inform all of its employees about the lawsuit.

D.

Encrypt the data from all of its employees.

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

A.

The controller will be liable to pay an administrative fine

B.

The processor will be liable to pay compensation to affected data subjects

C.

The processor will be considered to be a controller in respect of the processing
concerned

D.

The controller will be required to demonstrate that the unauthorized processing
negatively affected one or more of the parties involved

If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?

A.

1 month.

B.

3 months.

C.

5 months.

D.

12 months.

Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll
function to Company B. Company B is an established payroll service provider with a
sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and
attendance data obtained via a biometric entry system installed in each of Company A’s
factories. Company B won’t hold any biometric data itself, but the related data will be
uploaded to Company B’s UK servers and used to provide the payroll service. Company
B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A
needs to carry out a data protection impact assessment in relation to the new time and
attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written
agreement requiring Company B to use the time and attendance data only for the purpose
of providing the payroll service, and to apply appropriate technical and organizational
security measures for safeguarding the data. Jenny suggests that Company B obtain
advice from its data protection officer. The company doesn’t have a DPO but agrees, in the
interest of finalizing the contract, to sign up for the provisions in full. Company A enters into
the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a
separate project meant to enhance the functionality of its payroll service, and engages
Company C to help. Company C agrees to extract all personal data from Company B’s live
systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server.
The two companies agree not to include any data processing provisions in their services
agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security
system, and suffers a cyber security incident soon after Company C begins work on the
project. As a result, data relating to Company A’s employees is visible to anyone visiting
Company C’s website. Company A is unaware of this until Jenny receives a letter from the
supervisory authority in connection with the investigation that ensues. As soon as Jenny is
made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company’s ability to implement adequate
technical and organizational measures. What would be the most realistic way that
Company B could have fulfilled this requirement?

A.

Hiring companies whose measures are consistent with recommendations of accrediting bodies.

B.

Requesting advice and technical support from Company A’s IT team.

C.

Avoiding the use of another company’s data to improve their own services.

D.

Vetting companies’ measures with the appropriate supervisory authority.

Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

A.

Court of Auditors

B.

Court of Justice of European Union

C.

European Court of Human Rights

D.

European Data Protection Board