Free Access to IAPP.CIPP-E.v2024-03-24.q264 with Valid Practice Test (Page 23)

Question 107

Which of the following was the first legally binding international instrument in the area of data protection?

A.Convention 108.
B.General Data Protection Regulation.
C.Universal Declaration of Human Rights.
D.EU Directive on Privacy and Electronic Communications.

Correct Answer: A

Reference:
Convention 108, also known as the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was adopted by the Council of Europe in 1981. It was the first legally binding international instrument on data protection and required signatories to take steps in their domestic legislation to apply the principles it lays down in order to ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data1. The Convention covers both the public and private sectors, and applies to any type of data processing, whether automated or not. The Convention also provides for the establishment of independent supervisory authorities and the facilitation of transborder data flows2.
The other options are incorrect because:
B) The General Data Protection Regulation (GDPR) is a regulation of the European Union that came into force in 2018. It is not the first legally binding international instrument on data protection, but rather a successor of the EU Directive 95/46/EC, which was adopted in 1995 and implemented by the EU member states in their national laws3.
C) The Universal Declaration of Human Rights (UDHR) is a resolution of the United Nations General Assembly that was adopted in 1948. It is not a legally binding international instrument, but rather a declaration of common principles and values that guide the development of human rights law. The UDHR does not explicitly mention data protection, but rather recognizes the right to privacy as a fundamental human right in Article 124.
D) The EU Directive on Privacy and Electronic Communications (e-Privacy Directive) is a directive of the European Union that was adopted in 2002 and amended in 2009. It is not the first legally binding international instrument on data protection, but rather a specific instrument that complements the EU Directive 95/46/EC and the GDPR by providing additional rules for the protection of personal data in the context of electronic communications services5.

Question 108

Which of the following would require designating a data protection officer?

A.The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
B.Processing is carried out by an organization employing 250 persons or more.
C.Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
D.The core activities of the controller or processor consist of processing operations of financial information or information relating to children.

Question 109

SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What are ABC Hotel Chain and XYZ Travel Agency's roles in this relationship?

A.XYZ Travel Agency is the controller and ABC Hotel Chain is the processor.
B.ABC Hotel Chain and XYZ Travel Agency are independent controllers.
C.ABC Hotel Chain is the controller and XYZ Travel Agency is the processor.
D.ABC Hotel Chain and XYZ Travel Agency are joint controllers.

Question 110

As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his name, and has used the email address registered in your system.
What would be the most appropriate way to confirm the identity of the customer?

A.Request that the customer provide his bank account number.
B.Request that the customer answer additional security questions.
C.Request a copy of the customer's last bank account statement.
D.Request a copy of the customer's government-issued ID document.

Question 111

In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

A.If the cookies do not track personal data, then pre-checked boxes are acceptable.
B.If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.
C.If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
D.If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Question 107

Question 108

Question 109

Question 110

Question 111

Download PDF File