CIPP-E exam

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?A . Employees must sign an ad hoc contractual agreement each time personal data is exported.B . All employees are subject to the rules in their entirety, regardless of where the...

What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?A . The requirements affected individuals without exception.B . The requirements were financially burdensome to EU businesses.C . The requirements specified that data must be held within the EU.D . The requirements had limitations...

What type of data lies beyond the scope of the General Data Protection Regulation?A . PseudonymizedB . AnonymizedC . EncryptedD . MaskedView AnswerAnswer: B Explanation: Reference: https://www.datainspektionen.se/other-lang/in-english/the-general-data-protection-regulation-gdpr/the-purposes-and-scope-of-the-general-data-protection-regulation/

Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?A . The Directive was superseded by the EU Directive on Privacy and Electronic Communications.B . The Directive was superseded by the General...

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?A . Documenting due diligence steps taken in the pre-contractual stage.B . Conducting a risk assessment to analyze possible outsourcing threats.C . Requiring that...

Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?A . The European CouncilB . The European ParliamentC . The European CommissionD . The Council of the European UnionView AnswerAnswer: C Explanation: Reference: https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501

According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?A . As soon as possible after obtaining the personal data.B . As soon as possible after the...

Which of the following is the weakest lawful basis for processing employee personal data?A . Processing based on fulfilling an employment contract.B . Processing based on employee consent.C . Processing based on legitimate interests.D . Processing based on legal obligation.View AnswerAnswer: B Explanation: Reference: https://www.itgovernance.co.uk/blog/gdpr-lawful-bases-for-processing-with-examples

Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR? A. The obligation of companies to declare data breaches. B. The requirement to demonstrate compliance to a supervisory authority. C. The necessity of the bulk collection of personal data...

Read the following steps: ✑ Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices ✑ Monitor and analyze the apps and devices for compliance ✑ Manage application life cycles ✑ Monitor data sharing An organization should perform...