A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

• A.Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.
• B.Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.
• C.Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
• D.Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.

Comment: *

Name: *

Email: *

Verification: *

What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?

• A.Its penalties for violations of data protection rights were widely viewed as r sufficient.
• B.It was implemented in a fragmented manner by a small number of states.
• C.IT did not account for the rapid growth of the Internet
• D.It did not include protections for sensitive personal data

Comment: *

Name: *

Email: *

Verification: *

In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

• A.When creating an untargeted pop-up ad on a website.
• B.When calling a potential customer to notify her of an upcoming product sale.
• C.When emailing a customer to announce that his recent order should arrive earlier than expected.
• D.When paying a search engine company to give prominence to certain products and services within specific search results.

Comment: *

Name: *

Email: *

Verification: *

A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?

• A.Update the privacy notice upon which consent was given
• B.Proceed no further, as such repurposing is unlawful
• C.Obtain specific consent for the new processing
• D.Only inform the data subjects of the new purpose.

Comment: *

Name: *

Email: *

Verification: *

A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

• A.Supply any information requested by a data protection authority (DPA) within 30 days.
• B.Submit the contract to its own government authority.
• C.Ensure that notice is given to and consent is obtained from data subjects.
• D.Ensure that local laws do not impede the company from meeting its contractual obligations.

Comment: *

Name: *

Email: *

Verification: *