CIPP-E Practice Test

Select the answer below that accurately completes the following:
“The right to compensation and liability under the GDPR…

A.

…provides for an exemption from liability if the data controller (or data processor) proves
that it is not in any way responsible for the event giving rise to the damage.”

B.

…precludes any subsequent recourse proceedings against other controllers or
processors involved in the same processing.”

C.

...can only be exercised against the data controller, even if a data processor was involved in the same processing.”

D.

…is limited to a maximum amount of EUR 20 million per event of damage or loss.”

Why is advisable to avoid consent as a legal basis for an employer to process employee data?

A.

Employee data can only be processed if there is an approval from the data protection officer.

B.

Consent may not be valid if the employee feels compelled to provide it.

C.

An employer might have difficulty obtaining consent from every employee.

D.

Data protection laws do not apply to processing of employee data

Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in
France, but hosts its website through a company in Switzerland. As part of their service,
WonderKids will pass all personal data provided to them to the childcare provider booked
through their system. The type of personal data collected on the website includes the name
of the person booking the childcare, address and contact details, as well as information
about the children to be cared for including name, age, gender and health information. The
privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your
childcare provider for scheduling and health and safety reasons. We may also use your
and your child’s personal information for our own legitimate business purposes and we
employ a third-party website hosting company located in Switzerland to store the data. Any
data stored on equipment located in Switzerland meets the European Commission
provisions for guaranteeing adequate safeguards for you and your child’s personal
information. We will only share you and your child’s personal information with businesses
that we see as adding real value to you. By providing us with any personal data, you
consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at
which point the data will be depersonalized, unless your personal information is being used
for a legitimate business purpose beyond 28 days where it may be retained for up to 2
years.”
“We are processing you and your child’s personal information with your consent. If you
choose not to provide certain information to us, you may not be able to use our services.
You have the right to: request access to you and your child’s personal information; rectify
or erase you or your child’s personal information; the right to correction or erasure of you
and/or your child’s personal information; object to any processing of you and your child’s
personal information. You also have the right to complain to the supervisory authority about
our data processing activities.”
What must the contract between WonderKids and the hosting service provider contain?

A.

The requirement to implement technical and organizational measures to protect the data.

B.

-to-controller model contract clauses.

C.

CAudit rights for the data subjects.

D.

A non-disclosure agreement.

In which situation would a data controller most likely be able to justify the processing of the
data of a child without parental consent?

A.

When the data is to be processed for market research.

B.

When providing preventive or counselling services to the child.

C.

When providing the child with materials purely for educational use.

D.

When a legitimate business interest makes obtaining consent impractical.

With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

A.

If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.

B.

When it has been determined that adequate protection can be performed.

C.

Only if the Data Protection Impact Assessment (DPIA) shows low risk.

D.

Only as a last resort and when interpreted restrictively.