Free Practice Questions for IAPP CIPP-E Exam

The General Data Protection Regulation (GDPR) introduces a mechanism for personal data transfers to third countries or international organisations that do not ensure an adequate level of data protection, based on approved certifications. According to Article 42 of the GDPR, the European Commission, the European Data Protection Board (EDPB) and the national data protection authorities (DPAs) shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

The GDPR also provides that the certification mechanisms shall be voluntary and available via a transparent process. The certification shall be issued by the competent supervisory authority or by the certification bodies accredited by the supervisory authority or by the national accreditation body. The certification shall be valid for a maximum period of three years and may be renewed, under the same conditions, if the relevant requirements continue to be met. The certification shall be withdrawn, as the case may be, by the competent supervisory authority or by the certification bodies, where the requirements for the certification are not or are no longer met.

The GDPR further stipulates that the certification shall be issued to a controller or processor who has demonstrated, in accordance with the approved certification criteria, that the processing of personal data is in compliance with the GDPR. The certification shall specify the scope and purpose of the processing, the criteria applied and the duration of the validity of the certification. The certification shall not reduce the responsibility of the controller or the processor for compliance with the GDPR and shall not be interpreted as an endorsement of the quality or reliability of the products or services of the controller or the processor by the supervisory authority or the certification body.

The GDPR also states that the certification mechanisms shall contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the different risks for the rights and freedoms of data subjects. The certification mechanisms shall allow for the verification of compliance with the GDPR of processing operations by controllers and processors not established in the EU, regardless of the location of the processing. The certification mechanisms shall also provide for the possibility to demonstrate compliance with the GDPR for personal data transfers to third countries or international organisations under Article 46, which sets out the rules and requirements for the transfer of personal data to third countries or international organisations based on appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms.

References:

GDPR, Articles 42, 43, 44, 45, 46, 47, 48 and 49.

EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 and 15.

Free CIPP/E Study Guide, pages 9, 10, 11 and 12.

 According to Article 47(2)(a) of the GDPR, binding corporate rules (BCRs) must be legally binding and apply to and be enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees1. This means that all employees within the group must comply with the BCRs, irrespective of their location or the jurisdiction where they operate. The other options are incorrect, as they do not reflect the requirements of the GDPR or the guidance of the European Data Protection Board (EDPB) on BCRs23. References:

GDPR Article 47(2)(a)

EDPB Guidelines 3/2018 on the territorial scope of the GDPR

EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

A Data Protection Impact Assessment (DPIA) is required under Article 35 of the GDPR when data processing is likely to result in a high risk to individuals' rights and freedoms. This includes processing involving new technologies, systematic monitoring, or the large-scale processing of sensitive data​.

When should a DPIA be conducted?

Before implementing a new high-risk processing activity (e.g., a biometric access system).

Whenever a significant change in risk occurs (e.g., security updates, regulatory changes, new threats).

Regularly to reassess and mitigate emerging risks​.

Why is B the correct answer?

DPIAs are not a one-time process; they must be reviewed periodically to assess new risks​.

Why are other answers incorrect?

A (After the complaint) → A DPIA is a proactive measure, not something done only after a complaint.

C (At the end of the season) → GDPR does not require assessments to be tied to event cycles.

D (After regulatory notification) → DPIAs must be done before investigations, not as a response.

Conclusion: DPIAs should be conducted periodically when new risks arise, making B the correct answer​.

Under Article 9 of the GDPR, processing of special category data (e.g., ethnicity, health data) is prohibited unless an exception applies​.

Why is C the correct answer?

AI-based medical devices fall under "preventive or occupational medicine" as per GDPR Article 9(2)(h)​.

The AI system is used to detect skin cancer, a form of preventive medicine, making this the appropriate basis.

Why are other answers incorrect?

A (Scientific research or statistical purposes) → While scientific research can be a legal basis, it requires additional safeguards such as anonymization, which may not be feasible in this case​.

B (Substantial public interest) → While public health is important, this processing is specific to medical diagnosis, making Article 9(2)(h) more appropriate​.

D (Defense of legal claims) → Legal claims are not relevant here, as the processing is for bias mitigation in AI training​.

The OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all aimed to harmonize the national data protection laws of the member states of the European Economic Community (EEC) and to establish a common framework for the protection of personal data. However, they largely failed to achieve this goal due to several reasons, such as:

The lack of political will and commitment from the member states to implement the directives fully and consistently12.

The divergent interpretations and applications of the directives by different national authorities, courts and regulators12.

The emergence of new technologies and challenges that required new or updated legal solutions, such as electronic communications, cookies, biometrics, cloud computing, etc12.

The influence of other regional or international initiatives that addressed some aspects of data protection differently or in conflict with the directives, such as the US Privacy Shield Framework3.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals 3: Schrems II: A Critical Analysis - European Data Protection Board

 According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Bioface is not established in the Union, but it is collecting photographs of data subjects in the Union and using a facial recognition algorithm to identify them. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Bioface does not have any establishment in the Union, as it only collects data from web-based services, which does not imply the existence of stable arrangements in the Union2; (B) Bioface is not offering services in the Union, as it only targets government agencies and companies in the US and Canada, and does not intend to provide its service to data subjects in the Union3; © Bioface collects data from subjects and uses it for automated processing, but this is not a sufficient criterion to determine the territorial scope of the GDPR, as it does not relate to the offering of goods or services or the monitoring of behavior in the Union4. References: 1: Article 3(2) of the GDPR; 2: EDPB Guidelines, paragraph 20; 3: EDPB Guidelines, paragraph 38; 4: EDPB Guidelines, paragraph 50.

According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, valid consent for the use of cookies must meet the following conditions:

•It must be freely given, which means that the data subject must have a genuine choice and the ability to refuse or withdraw consent without detriment.

•It must be specific, which means that the data subject must give consent for each distinct purpose of the processing and for each type of cookie.

•It must be informed, which means that the data subject must receive clear and comprehensive information about the identity of the controller, the purposes of the processing, the types of cookies used, the duration of the cookies, and the possibility of withdrawing consent.

•It must be unambiguous, which means that the data subject must express their consent by a clear affirmative action, such as clicking on an “I agree” button or selecting specific settings in a cookie banner.

•It must be granular, which means that the data subject must be able to consent to different types of cookies separately, such as essential, functional, performance, or marketing cookies.

Therefore, a “Cookies Settings” button is not a necessary element to collect valid consent for the use of cookies, as long as the data subject can exercise their choice and preference through other means, such as a cookie banner with different options. However, a “Cookies Settings” button may be a good practice to enhance transparency and user control, as it allows the data subject to access and modify their consent settings at any time.

On the other hand, a “Reject All” cookies button is a necessary element to collect valid consent for the use of cookies, as it ensures that the data subject can freely refuse consent without detriment. A list of cookies that may be placed and information on the purpose of the cookies are also necessary elements to collect valid consent for the use of cookies, as they ensure that the data subject is informed and can give specific consent for each type of cookie.

References: EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, pages 17-23.

 According to Article 42 of the GDPR, the Commission may approve certification mechanisms, seals and marks for the purpose of demonstrating the existence of appropriate safeguards for personal data transfers to third countries or international organisations. These certification mechanisms, seals and marks are voluntary and transparent, and are issued by accredited certification bodies or by the competent supervisory authorities. They are subject to the general provisions on certification in Articles 42 and 43 of the GDPR. They are intended to enhance the trust of data subjects and facilitate the free flow of personal data within the Union and beyond. They are also subject to periodic review and withdrawal or suspension if the conditions for certification are not or are no longer met. References:

Article 42 of the GDPR

European Data Protection Law & Practice textbook, Chapter 8: Transfers of Personal Data to Third Countries, Section 8.3: Appropriate Safeguards, Subsection 8.3.4: Certification Mechanisms, Seals and Marks

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation

 A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project that involves personal data, especially when using new technologies or processing that is likely to result in a high risk to individuals1. The UK GDPR requires data controllers to carry out a DPIA before starting such processing and to consult the supervisory authority if the DPIA indicates a high risk that cannot be mitigated1. The UK GDPR also provides some general guidance on the content and methodology of a DPIA, but it does not prescribe a specific format or procedure1. Therefore, to effectively assist Zandelay in conducting their DPIA, it would be helpful to refer to existing DPIA guides published by local supervisory authorities, such as the ICO in the UK or the DPC in Ireland23. These guides offer more detailed and practical advice on how to conduct a DPIA, what to include in it, how to assess and mitigate the risks, and when to consult the authority23. They also provide templates, checklists, examples, and case studies to illustrate the DPIA process23. By following these guides, Zandelay can ensure that their DPIA is comprehensive, consistent, and compliant with the UK GDPR and the relevant national laws.

The other options are not as effective as option C, because:

Option A: Information about DPIAs found in Articles 38 through 40 of the UK GDPR is too general and vague to assist Zandelay in conducting their DPIA. These articles only outline the basic requirements and principles of a DPIA, but do not provide any specific guidance on how to conduct one, what to include in it, or how to assess and mitigate the risks1. Zandelay would need more detailed and practical advice to effectively perform a DPIA.

Option B: Data breach documentation that data controllers are required to maintain is not relevant to conducting a DPIA. A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data1. A data controller must document any data breaches, including the facts, effects, and remedial actions taken, and notify the supervisory authority and the affected individuals without undue delay1. However, a data breach is not the same as a data protection risk, which is the potential for adverse effects on individuals as a result of the processing of their personal data2. A DPIA is a proactive and preventive measure to identify and minimise the data protection risks of a project, not a reactive and corrective measure to deal with the consequences of a data breach2.

Option D: Records of processing activities that data controllers are required to maintain are not sufficient to assist Zandelay in conducting their DPIA. A record of processing activities is a document that contains information about the purposes, categories, recipients, transfers, retention periods, and security measures of the processing of personal data by a data controller or a data processor1. A data controller must maintain a record of processing activities under its responsibility and make it available to the supervisory authority upon request1. However, a record of processing activities is not the same as a DPIA, which is a more in-depth and systematic analysis of the data protection risks and the measures to address them2. A record of processing activities may provide some useful information for a DPIA, such as the nature, scope, context, and purposes of the processing, but it does not cover other aspects, such as the necessity, proportionality, compliance, and impact of the processing2.

https://blog.netwrix.com/2021/02/17/data-protection-impact-assessment/

https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/