Question 1

SCENARIO -

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared with the national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.

The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.

All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is required by the company. There is no data processing agreement between AWS and the company.

Should Jane modify the required GDPR rights waiver for non-European residents?

Options :

A : Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.

B : Yes, this clause must be entirely removed as all customers, regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.

C : No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.

D : No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.

Answer: B

Question 2

Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

Options :

A : The authority by which the controller is collecting the data and the third parties to whom the data will be sent.

B : The name/s of relevant government agencies involved and the steps needed for revising the data.

C : The identity and contact details of the controller and the reasons the data is being collected.

D : The contact information of the controller and a description of the retention policy.

Answer: C

Question 3

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

Options :

A : Assessed potential privacy risks by conducting a data protection impact assessment.

B : Consulted with the relevant data protection authority about potential privacy violations.

C : Distributed a more comprehensive notice to employees and received their express consent.

D : Consulted with the Information Security team to weigh security measures against possible server impacts.

Answer: C

Question 4

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

Options :

A : The Court of Justice of the European Union.

B : The European Data Protection Supervisor.

C : The European Court of Human Rights.

D : The European Data Protection Board.

Answer: A

Question 5

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

Options :

A : Employees must sign an ad hoc contractual agreement each time personal data is exported.

B : All employees are subject to the rules in their entirety, regardless of where the work is taking place.

C : All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D : Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Answer: C

Confidently Practice Online with Free CIPP-E Exam Cram

Buying Options: