Question 1

A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

Options :

A : Notify the newspaper that its article it is delisting the article.

B : Fully erase the URL to the content, as opposed to delist which is mainly based on data subject-s name.

C : Identify other controllers who are processing the same information and inform them of the delisting request.

D : Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer: A

Question 2

When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

Options :

A : The ease of identification of individuals.

B : The size of any data processor involved.

C : The special characteristics of the data controller.

D : The nature, sensitivity and volume of personal data.

Answer: B

Question 3

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

Options :

A : A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.

B : A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.

C : A health professional involved in the medical care for the data subject, where the data subject-s life hinges on the timely dissemination of such information.

D : A journalist writing an article relating to the medical condition in question, who believes that the publication of such information is in the public interest.

Answer: B

Question 4

Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GOPR. Why would such practice be permitted?

Options :

A : Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.

B : Because photographs qualify as biometric data only when they undergo a "specific technical processing".

C : Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.

D : Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: B

Question 5

What should a controller do after a data subject opts out of a direct marketing activity?

Options :

A : Without exception, securely delete all personal data relating to the data subject.

B : Without undue delay, provide information to the data subject on the action that will be taken.

C : Refrain from processing personal data relating to the data subject for the relevant type of communication.

D : Take reasonable steps to inform third-party recipients that the data subject-s personal data should be deleted and no longer processed.

Answer: C

Higher Test Marks with Free Online CIPP-E Exam Practice

Buying Options: