Free Practice Questions for IAPP CIPP-E Exam

The EU Artificial Intelligence Act (AI Act) introduces strict regulations for high-risk AI systems to ensure safety, fairness, and transparency. These regulations apply to both providers and users of AI systems within the EU and even globally under certain conditions.

Key obligations for providers of high-risk AI systems under the AI Act include:

Conformity Assessment (Answer Choice D)

Before placing a high-risk AI system on the market, the provider must conduct a conformity assessment to ensure compliance with EU legal and ethical standards​.

Public Registration of High-Risk AI Systems (Answer Choice B)

The AI Act requires high-risk AI systems to be registered in an EU-wide database maintained by the European Commission to enhance transparency and oversight​.

Providing Documentation (Answer Choice C)

Providers must supply detailed technical documentation about the AI system to users, ensuring they understand the system’s functionality, risks, and compliance measures​.

Why is Answer Choice A incorrect?

The AI Act does not explicitly require providers to ensure users understand how the system mitigates bias. Instead, providers must ensure the quality of training and testing data and implement safeguards to prevent bias, but this does not extend to user education on bias mitigation​.

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject’s choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort. References: Direct marketing rules and exceptions under the GDPR, Direct marketing and privacy and electronic communications, Marketing and advertising: the law: Direct marketing, Direct Marketing - What you need to know about direct marketing

The steps listed in the question are part of a best practice framework for implementing a secure BYOD program, which allows employees to use their personal devices to access organizational data and applications. A BYOD program poses significant privacy and security risks, such as data leakage, unauthorized access, malware infection, and compliance violations. Therefore, an organization should follow a comprehensive approach to discover, monitor, manage, and secure the devices, apps, and data involved in a BYOD program. This approach can help the organization meet the GDPR requirements for data protection by design and by default, data security, accountability, and data breach notification. References:

Free CIPP/E Study Guide, page 15, section 2.3.3

CIPP/E Certification, page 10, section 1.1.2

Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 42, section 2.3.3

According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the user’s device requires the user’s consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the user’s browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.

Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.

Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.

Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.

References:

ePrivacy Directive, Article 5(3)

GDPR, Article 4(11), Article 7, Article 9

CIPP/E Study Guide, Chapter 5, Section 5.2.2

According to the GDPR, pseudonymization is a technique that reduces the linkability of personal data to a specific data subject by replacing identifying attributes with pseudonyms1. Pseudonymization is not a sufficient measure to anonymize personal data, which means that the data cannot be attributed to an identifiable person without additional information2. Pseudonymization can help data controllers and processors to comply with the GDPR principles of data minimization, purpose limitation, and storage limitation, as well as to enhance the security and confidentiality of personal data3.

In this scenario, JaphSoft’s use of pseudonymization is not in compliance with the GDPR because of option C: JaphSoft was in possession of information that could be used to identify data subjects. This is because JaphSoft did not keep the additional information (the contact information) separately from the pseudonymized data (the identifying information), and did not apply technical and organizational measures to prevent the re-identification of the data subjects4. This means that JaphSoft could potentially link the personal data to the individuals, and therefore, the data was not effectively pseudonymized. Moreover, JaphSoft did not have a deletion process for the data it received from clients, which could violate the principle of storage limitation that requires personal data to be kept no longer than necessary for the purposes for which they are processed.

According to Article 46 of the GDPR, in the absence of an adequacy decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. One of the possible appropriate safeguards is the use of standard data protection clauses adopted by the Commission or by a supervisory authority. However, Article 46(5) states that the possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority shall not affect the possibility for the controller or processor to rely upon other appropriate safeguards provided for in paragraph 2 of this Article, provided that they ensure that data subjects have enforceable and effective rights as regards the processing of their data. Therefore, in this case, Jackie’s recommendation of requiring UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data is an additional measure that could be considered as an appropriate safeguard, especially since UpFinance implements several data protection measures, including end-to-end encryption, with encryption keys held by the customer, which would ensure a high level of security and confidentiality of the personal data transferred. References:

Article 46 of the GDPR

IAPP CIPP/E Study Guide, page 67

According to the GDPR, the right to be forgotten, also known as the right to erasure, is not an absolute right and only applies in certain circumstances1. One of the exceptions to this right is when the processing of personal data is necessary for the establishment, exercise or defence of legal claims2. In this scenario, the company may need to retain the personal data of Jack, such as his employment records, performance reviews, and internal emails, in order to defend itself against a possible legal action of unfair dismissal. Therefore, the company should not erase the data at this time, unless it is confident that it has no legal basis to keep it. The company should also inform Jack of the reasons for not complying with his request and of his right to lodge a complaint with a supervisory authority or a judicial remedy3. References: 1: Everything you need to know about the “Right to be forgotten”2: Article 17(3)(e) of the GDPR3: Article 12(4) of the GDPR.

Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation. The other steps are necessary to ensure GDPR compliance, as explained below:

Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large-scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.

Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented.

Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage. References: GDPR Article 35, GDPR Article 36, GDPR Article 5, CCTV and video surveillance | ICO, 5 Step Guide to Check if Your CCTV is GDPR Compliant