IAPP CIPP-E - Certified Information Privacy Professional/Europe Certification Exam
Question #1 (Topic: Demo Questions)
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
Correct Answer: C
Explanation:
The OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all
aimed to harmonize the national data protection laws of the member states of the European
Economic Community (EEC) and to establish a common framework for the protection of personal
data. However, they largely failed to achieve this goal due to several reasons, such as:
The lack of political will and commitment from the member states to implement the directives fully
and consistently12.
The divergent interpretations and applications of the directives by different national authorities,
courts and regulators12.
The emergence of new technologies and challenges that required new or updated legal solutions,
such as electronic communications, cookies, biometrics, cloud computing, etc12.
The influence of other regional or international initiatives that addressed some aspects of data
protection differently or in conflict with the directives, such as the US Privacy Shield Framework3.
Reference: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E
Certification - International Association of Privacy Professionals 3: Schrems II: A Critical Analysis -
European Data Protection Board
Question #2 (Topic: Demo Questions)
A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?
Correct Answer: D
Explanation:
: The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many data privacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2. The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union’s (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.
Question #3 (Topic: Demo Questions)
Through a combination of hardware failure and human error, the decryption key for a bank's customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicatesthe nature of thisincident?
Correct Answer: D
Explanation:
A data breach is broadly defined as any incident that leads to the unauthorized access, disclosure, alteration, or destruction of personal data. While options A and B might seem plausible at first glance, they focus on a narrow interpretation of a breach. The key here is the loss of confidentiality and/or integrity. Even though no one has actively stolen the data, the bank can no longer guarantee the confidentiality of the information, nor can it ensure the integrity of the data since it cannot be accessed or modified securely. This constitutes a loss of control over the data and thus qualifies as a data breach. Reference: IAPP CIPP/E textbook, Chapter 5: Data Breach Notification (specifically, the definition of a personal data breach) GDPR Article 4(12) - Definition of a personal data breach
Question #4 (Topic: Demo Questions)
A private company has establishments in France, Poland, the United Kingdom, and most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments. What is the lead supervisory authority for the SaaS service?
Correct Answer: C
Explanation:
Under the GDPR, the lead supervisory authority is determined by where the main establishment related to the processing activity is located. In this case, even though the company's headquarters is in Germany, the SaaS application was specifically defined and implemented by the Polish establishment. This indicates that the Polish establishment hasthe primary role in determining the purposes and means of processing personal data related to that SaaS service. Therefore, the supervisory authority of Poland would be the lead supervisory authority for this specific processing activity. Reference: GDPR Article 56 - Competence of the lead supervisory authority IAPP CIPP/E textbook, Chapter 3: EU General Data Protection Regulation (specifically, sections on One-Stop Shop mechanism and lead supervisory authority)
Question #5 (Topic: Demo Questions)
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?
Correct Answer: B
Explanation: