01. Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?
a) The right to privacy is an absolute right
b) The right to privacy has to be balanced against other rights under the ECHR
c) The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
d) The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
02. A mobile device application that uses cookies will be subject to the consent requirement of which of the following?
a) The ePrivacy Directive
b) The E-Commerce Directive
c) The Data Retention Directive
d) The EU Cybersecurity Directive
03. The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?
a) Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
b) Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
c) Failure to process personal information in a manner compatible with its original purpose.
d) Failure to provide the means for a data subject to rectify inaccuracies in personal data.
04. Which of the following is the weakest lawful basis for processing employee personal data?
a) Processing based on fulfilling an employment contract.
b) Processing based on employee consent.
c) Processing based on legitimate interests.
d) Processing based on legal obligation.
05. How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
a) The ePrivacy Directive allows individual EU member states to engage in such data retention.
b) The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.
c) The Data Retention Directive’s annulment makes such data retention now permissible.
d) The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
06. Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
a) A mandatory notification for personal data breaches applicable to electronic communication providers.
b) A voluntary notification for personal data breaches applicable to electronic communication providers.
c) A mandatory notification for personal data breaches applicable to all data controllers.
d) A voluntary notification for personal data breaches applicable to all data controllers.
07. If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?
a) 1 month.
b) 5 months.
c) 3 months.
d) 12 months.
08. Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?
a) Personal data revealing ethnic origin.
b) Personal data revealing financial data.
c) Personal data revealing genetic data.
d) Personal data revealing trade union membership.
09. In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?
a) The predicted consequences of the breach.
b) The measures being taken to address the breach.
c) The type of security safeguards used to protect the data.
d) The contact details of the appropriate data protection officer.
10. To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?
a) Compliant with the security principle, because the data base is password-protected.
b) Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
c) Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.
d) Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.
The purpose of this Sample Question Set is to provide you with information about the IAPP Certified Information Privacy Professional/Europe (CIPP-E) exam. These sample questions will make you very familiar with both the type and the difficulty level of the questions on the CIPP-E certification test. To get familiar with real exam environment, we suggest you try our Sample IAPP Information Privacy Professional/Europe Certification Practice Exam. This sample practice exam gives you the feeling of reality and is a clue to the questions asked in the actual IAPP Certified Information Privacy Professional/Europe (CIPP-E) certification exam.