Download CIPP E FINAL LATEST EXAM WITH 400+ QUESTIONS AND CORRECT ANSWERS FOR GUARANTEED PASS.pdf and more Exams Medicine in PDF only on Docsity!
CIPP/E FINAL LATEST EXAM WITH
400+ QUESTIONS AND CORRECT
ANSWERS FOR GUARANTEED PASS
question-European Convention on Human Rights - answer-Treaty drawn up by the Council of Europe that protects fundamental rights. Adopted in 1953 and based on the Universal Declaration of Human Rights. question-European Convention on Human Rights - Enforcement - answer-Enforced by the European Court of Human Rights question-European Convention on Human Rights - Article 8 - answer-Protects rights of individuals question-European Convention on Human Rights - Article 10 - answer-Protects the right of freedom of expression and the right to share information and ideas across national boundaries. Universal Declaration of Human Rights - Passage - answer- 1948 question-Universal Declaration of Human Rights - Article 12 - answer-The right to a private life and associated freedoms. question-Universal Declaration of Human Rights - Article 19 - answer-Freedom of expression.
question-Universal Declaration of Human Rights - Article 29(2) - answer-Rights are not absolute and there are instances where a balance must be struck. question-OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) - answer-Guidelines comprised basic non-legally binding rules governing transferred flows and the protection of personal information and privacy in order to facilitate the harmonization of data protection law between countries. question-Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data - answer-Also known as Convention 108. Was the first legally binding international instrument in the area of data protection. Convention 108 sets the standard for the protection of the personal data of individuals while also seeking to find a balance for the need to maintain the free flow of personal data for the purposes of international trade. question-Convention 108 v. OECD Guidelines - answer-Convention 108 differs from the Guidelines in that it required signatories to take the necessary steps in their domestic legislation to apply the principles it lays down. question-Treaty of Lisbon - answer-In force in 2009. Aims to strengthen and improve the core structures of the EU to enable it to function more efficiently and ensures that all institutions of the EU must have regard to the protection of individuals when processing personal data. question-European Parliament - answer-The only European institution whose members are directly elected. It has four responsibilities:
question-Data Protection Directive (95/46/EC) - answer-Sets out general principles and leaves member states to implement these as they see fit. question-E-Privacy Directive - answer-Concerns the processing of personal data and the protection of privacy in the electronic communications sector and covers all forms of electronic communications. question-E-Privacy Directive Amendment - answer-The changes generally relate to the introduction of mandatory notification of personal data breaches by electronic communications services provider. Perhaps the most pertinent and controversial amendment concerns the new provision affecting cookies: the storing of information (or the gaining of access to information already stored) in the terminal equipment of a subscriber or user is allowed only on the condition that the user concerned has given consent, having been provided with clear and comprehensive information. question-Data Retention Directive (2006/24/EC) - answer-Retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communication networks amends the relevant data retention provisions of the e-Privacy Directive. The Directive does not cover retention of the actual content of communications--rather it applies to traffic and location data of both individuals and organizations, as well as to the relevant data necessary to identify the subscriber or registered user. question-Personal Data - answer-Any information relating to an identified or identifiable natural person.
question-Sensitive Personal Data - answer-Personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious beliefs;
- Philosophical beliefs;
- Trade union membership;
- Health; or
- Sex life. question-Controller - answer-Natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data. question-Processor - answer-A person (other than an employee of the controller) who processes personal data on behalf of a controller. A processor may be more closely involved in the processing of personal data but does not have the authority to allocate responsibility that a controller has. The processor is only acting on behalf of the controller, although the processor's status can have a direct legal effect. question-Data Protection Directive - Article 4(1)(a) - answer-The law of a member state applies when the data processing is carried out in the context of the activities of an establishment of the controller on the territory of the member state.
- an enforceable contractual agreement;
- the duty of confidence; or
- the human right to privacy question-Purpose Limitation - answer-Imposes limits on data controllers' use of personal data. The principle of purpose limitation is also called the principle of finality, as it imposes limits on the processing of data for purposes other than those for which it was obtained. Exception: the Directive allows for the further processing of personal data for research purposes, even if the data was not collected for those purposes, as long as the member states provide "appropriate safeguards." question-Data Quality - answer-The principle has two distinct aspects:
- Accuracy of the data--data controllers must ensure that personal information is accurate when collected and remains accurate afterwards.
- Data retention--the Directive requires data controllers to delete irrelevant or unnecessary information after considering the purposes for which the data was collected or for which it is further processed. question-Legitimate Processing Criteria -- Personal Data - answer-1. Unambiguous consent;
- Contractual necessity;
- Compliance with law;
- Protection of vital interests;
- Public interest/official authority; or
- Legitimate interests of controller question-Legitimate Processing Criteria -- Sensitive Personal Data - answer-1. Explicit consent;
- Employment law;
- Protection of vital interests;
- Non-profit membership;
- Made public by individual; or
- Establishment, exercise, or defense of legal claims. question-Consent - answer-Freely given (i.e., they must have a genuine choice); Specific (i.e., given specifically for the particular processing operation in question); and Informed (i.e., data subject is given all the necessary details of the processing activity in a language and form he can understand) question-Legitimate Interest Balancing Test - answer-1. The processing must be necessary for the purpose;
- The purpose must a be legitimate interest of the controller or a third party to whom the data is disclosed; and
- the legitimate interest cannot impinge upon the data subject's fundamental rights and freedoms.
question-DPA Notification Obligation Purposes - answer-1. Foster transparency;
- Assists the DPAs with regulatory functions; and
- Source of funds question-DPA Notification - answer-Immediate requirement is to notify the relevant national data protection authorities that the organization intends to process personal information. question-DPA Notification -- Prior Authorization - answer-Prior checking is carried out by the national DPA following receipt of a notification from the data controller or data protection official. Typically, this requirement for prior checking takes place when judicial data or "sensitive" personal data is due to be processed. question-International Data Transfers -- Adequacy Determinations - answer-The Directive allows the European Commission to determine whether a third country ensures an adequate level of protection. question-International Data Transfers -- Countries with Adequate Levels of Protection - answer- Switzerland, Hungary (which is now part of the EEA), Canada, Argentina, Guernsey, the Isle of Man, Jersey, the Faroe Islands, Andorra, and Israel. question-International Data Transfers -- Derogations - answer-1. Consent;
- Contract Performance;
- Substantial Public Interest;
- Legal Claims;
- Vital Interets; or
- Public Registers. question-Safe Harbor Privacy Principles - answer-1. Notice;
- Choice;
- Onward Transfer;
- Security;
- Data Integrity;
- Access; and
- Enforcement. question-Safe Harbor - Pros - answer-1. Tailored to US thinking;
- Straightforward process;
- Easy to publicize; and
- Profile raising experience. question-Safe Harbor - Cons - answer-1. Limited to US imports;
- Sectors excluded;
- Greater accountability; and
- Weaknesses identified. question-Model Contracts - answer-Contractual approach per Article 26(4) of the Directive to ensuring "adequacy."
- Reduced scrutiny
- Framework for global compliance program question-BCR - Cons - answer-1. Not self-certification yet
- Lack of DPAs' resources
- Top management buy-in required question-DPAs' Powers and Responsibilities - answer-1. Investigative powers
- Powers of intervention
- Power to engage in legal proceedings
- Receiving and dealing with complaints
- Annual reports
- International cooperation question-Article 29 Working Party - Responsibilities - answer-1. Draft opinions
- Outputs -- Opinions -- Working documents -- Annual reports
- Spot divergences
- Issue recommendations
- Annual reports
question-European Data Protection Supervisor - answer-Ensures that the institutions of the EU respect the fundamental rights and freedoms of individuals, particularly their rights to privacy. question-European Data Protection Supervisor - Duties - answer-1. Investigate complaints
- Conduct inquiries
- Advise institutions
- Monitor developments
- Cooperate with DPAs
- Participate in Article 29 Working Party question-European Data Protection Supervisor - Powers - answer-1. Give advice
- Order compliance
- Warn controllers
- Impose ban on processing
- Refer matters to ECJ
- Intervene before ECJ question-Typical Employment Data Processing Situations - answer-1. Consent (although relying on consent has considerable disadvantages).
- Necessary to fulfill a (employment) contract.
- necessary to meet a legal obligation.
- Legitimate interests.
- Legitimacy--an employer must have lawful grounds for collecting and using the personal and, if appropriate, sensitive personal data, and the processing must be fair.
- Proportionality--any monitoring that takes place must proportionate to the issue that the employer is dealing with.
- Transparency--an employer must inform employees of the monitoring that will be carried out. question-Surveillance - Biometrics - answer-Where controllers plan to use biometric systems that store data in centralized databases, the Working Party has recommended that member states ensure such systems are submitted to DPAs for prior checking, because this kind of processing is likely to present specific risks to individuals. question-Marketing - Postal Mail - answer-There is no express requirement in the Directive to obtain consent to send direct postal marketing. In some member states, data controllers must cleanse their contact list against applicable national opt-out registers (Austria and Denmark). Must satisfy the general compliance requirements of the Data Processing Directive when processing individuals' personal data to send postal marketing, including the transparency requirement and the lawful processing requirement. However, because postal marketing is not digital marketing, it is not subject to the requirements of the e-Privacy Directive. question-Marketing - Direct Marketing - answer-The term "direct marketing" refers specifically to the communication, by whatever means, of any advertising or marketing materials directed to particular individuals. Working Party considers it to include any form of sales promotion and direct marketing by charities and political organizations.
question-Marketing - Telephone Marketing - answer-A form of digital marketing and is therefore subject to the requirements of the e-Privacy Directive. Must also ensure that they satisfy the general compliance requirements in the Directive. question-Telephone Marketing - Consent - answer-There is no express requirement in the e- Privacy Directive to obtain individuals' consent for person-to-person telephone marketing. However, Article 13(3) does require that, at a minimum, member states ensure that individuals have a means by which to opt out, free of charge, from direct telephone marketing. question-Marketing by Electronic Communication - answer-The e-Privacy Directive requires that, in general, data controllers must obtain prior (opt-in) consent from individuals to send them marketing by electronic mail. question-Marketing by Electronic Communication -- Consent Exception - answer-The e-Privacy Directive allows a limited exemption from this strict opt-in requirement for direct marketing by electronic mail to individuals whose details the data controller obtained "in the context of the sale of a product or service." The option to "opt out," though, must be provided on every communication. What is the CLOUD Act? - answer-Clarifying Lawful Overseas Use of Data question-What are main points of CLOUD Act? - answer-1. Applies to information anywhere in the world if data is in the "possession, custody or control" of the recipient of the warrant.
question-What is the legislative Framework for EU Privacy? - answer-1. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (CoE Convention)
- EU Data Protection Directive (95/46/EC)
- EU Directive on Privacy and Electronic Communications (2002/58/EC), as amended
- EU Directive on Electronic Commerce (2000/31/EC)
- European data retention regimes
- GDPR question-What are the 6 data protection principles - answer-1. Fairness and lawfulness
- Purpose limitation
- Proportionality
- Accuracy
- Storage limitation
- Integrity and confidentiality question-What are the 5 Legitimate Processing Criteria? - answer-1. Consent
- Contractual necessity
- Legal obligation, vital interests, public interests
- Legitimate interests
- Special categories of processing question-What are 7 Data Subject Rights? - answer-1. Access
- Rectification
- Erasure and Right to be Forgotten
- Restriction and objection
- Automated decision making, including profiling
- Data portability
- Restrictions question-What is the Treaty of Lisbon? - answer-"On 13 December 2007, the Treaty of Lisbon ('Lisbon Treaty') was signed by the EU member states; it became effective 1 December 2009. Its main aim is to strengthen and improve the core structures of the European Union to enable it to function more efficiently." question-Article 1 - answer-Subject matter and objectives question-Article 2 - answer-Material scope question-Article 3 - answer-Territorial scope question-Article 4 - answer-Definitions question-Article 5 - answer-Principles relating to processing of personal data question-Article 6 - answer-Lawfulness of processing
