CIPP-E Practice Test

To provide evidence of GDPR compliance, a company performs an internal audit. As a
result, it finds a data base, password-protected, listing all the social network followers of the
client.
Regarding the domain of the controller-processor relationships, how is this situation
considered?

A.

Compliant with the security principle, because the data base is password-protected.

B.

Non-compliant, because the storage of the data exceeds the tasks contractually
authorized by the controller.

C.

Not applicable, because the data base is password protected, and therefore is not at risk
of identifying any data subject.

D.

Compliant with the storage limitation principle, so long as the internal auditor
permanently deletes the data base.

A.

All employees are subject to the rules in their entirety, regardless of where the work is taking place.

B.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

C.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D.

Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement

Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it
wants to market on its website as a free download. Vigotron’s marketing manager asks his
assistant Emily to create a webpage that describes the app and specifies the terms of use.
Emily, who is new at Vigotron, is excited about this task. At her previous job she took a
data protection class, and though the details are a little hazy, she recognizes that Vigotron
is going to need to obtain user consent for use of the app in some cases. Emily sketches
out the following draft, trying to cover as much as possible before sending it to Vigotron’s
legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related
activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone
settings (along with other third-party apps you may already have) to collect data about all of
these important lifestyle elements, and provide the information necessary for you to enrich
your quality of life. (Please click here to read a full description of the services that M-Health
provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is
stored in it, and which apps can access your data. When your device is locked with a
passcode, all of your health and fitness data is encrypted with your passcode. You can
back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more
about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app.
Furthermore, we will not provide a customer’s name, email address or any other
information gathered from the app to any third- party without a customer’s consent, unless
ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or
protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it,
we ask that you
first complete this registration form. (Please note that use of the M-Health app is restricted
to adults aged 16 or older, unless parental consent has been given to minors intending to
use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think
may be of interest to you, please include your physical address. If you decide later that you
do not wish to receive these newsletters, you can unsubscribe by sending an email to
unsubscribe@vigotron.com or send a letter with your request to the address listed at the
bottom of this page.
Terms and Conditions
1.Jurisdiction. […]
2.Applicable law. […]
3.Limitation of liability. […]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and
that you consent to the processing of your personal data by Vigotron for the purpose of
using the M-Health app. Although you are entitled to opt out of any advertising or
marketing, you agree that Vigotron may contact you or provide you with any required
notices, agreements, or other information concerning the services by email or other
electronic means. You also agree that the Company may send automated emails with
alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point
out as the biggest problem with Emily’s consent provision?

A.

It is not legal to include fields requiring information regarding health status without consent.

B.

Processing health data requires explicit consent, but the form does not ask for explicit consent.

C.

Direct marketing requires explicit consent, whereas the registration form only provides for a right to object

D.

The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.

Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last
few years. Their new manager, Oliver, suspects that this is partly due to the company’s
outdated website. After doing some research, he meets with a sales representative from
the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge
website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more
customer information through detailed Questionaires, which could be used to tailor their
preferences to specific travel destinations. TripBliss Inc. can choose any number of data
categories – age, income, ethnicity – that would help them best accomplish their goals.
Oliver loves this idea, but would also like to have some way of gauging how successful this
approach is, especially since the Questionaires will require customers to provide explicit
consent to having their data collected. The Techiva representative suggests that they also
run a program to analyze the new website’s traffic, in order to get a better understanding of
how customers are using it. He explains his plan to place a number of cookies on customer
devices. The cookies will allow the company to collect IP addresses and other information,
such as the sites from which the customers came, how much time they spend on the
TripBliss Inc. website, and which pages on the site they visit. All of this information will be
compiled in log files, which Techiva will analyze by means of a special program. TripBliss
Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness.
Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon
Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s
website, and can authorize access to the log files gathered from it. Unfortunately for
TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction
with Techiva is at a high point. In order to take revenge for what he feels has been unfair
treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for
help. Together they come up with the following plan: Fred will hack into Techiva’s system
and copy their log files onto a USB stick. Despite his initial intention to send the USB to the
press and to the data protection authority in order to denounce Techiva, Leon experiences
a crisis of conscience and ends up reconsidering his plan. He decides instead to securely
wipe all the data from the USB stick and inform his manager that the company’s system of
access control must be reconsidered.
After Leon has informed his manager, what is Techiva’s legal responsibility as a
processor?

A.

They must report it to TripBliss Inc.

B.

They must conduct a full systems audit.

C.

They must report it to the supervisory authority.

D.

They must inform customers who have used the website.

What are the obligations of a processor that engages a sub-processor?

A.

The processor must give the controller prior written notice and perform a preliminary
auditof the sub- processor.

B.

The processor must obtain the controller’s specific written authorization and provide
annual reports on the sub-processor’s performance.

C.

The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.

D.

The processor must obtain the consent of the controller and ensure the sub-processor
complies with data processing obligations that are equivalent to those that apply to the
processor.