Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?
Correct Answer: A
According to the Article 29 Working Party, a just-in-time notice is a type of privacy notice that provides processing information at specific points of data collection, such as when the user clicks on a certain feature or enters personal data1. This kind of notice is commonly recommended for AI-based technologies because it allows the user to receive relevant and timely information about the processing of their data, without being overwhelmed by lengthy and complex privacy statements1. A just-in-time notice can also be combined with other types of notices, such as layered notices or privacy dashboards, to provide a more comprehensive and user-friendly transparency framework1. Therefore, option C is the correct answer. Option A is incorrect because a privacy dashboard notice is a type of notice that provides the user with a centralised and interactive overview of the processing of their data, and allows them to manage their privacy settings and preferences1. Option B is incorrect because a visualization notice is a type of notice that uses graphical elements, such as icons, symbols, colours, or animations, to convey the processing information in a more intuitive and engaging way1. Option D is incorrect because a layered notice is a type of notice that provides the processing information in a hierarchical and modular way, starting with the most essential information and allowing the user to access more details if they wish1. Reference: What's new in WP29's final guidelines on transparency?
Question 58
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?
Correct Answer: D
Reference: According to Article 84 of the GDPR, the rules on other penalties applicable to infringements of the GDPR, in particular for infringements which are not subject to administrative fines pursuant to Article 83, shall be laid down by the Member States1. Such penalties shall be effective, proportionate and dissuasive1. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them1. Reference: 1: Art. 84 GDPR - Penalties - General Data Protection Regulation (GDPR)
Question 59
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?
Correct Answer: B
According to the Free CIPP/E Study Guide, page 14, "if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing." This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller's own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. Reference: Free CIPP/E Study Guide, page 14 GDPR, Article 36
Question 60
In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?
Correct Answer: D
According to the WP29 guidance on DPIA1, conducting a single DPIA to address multiple processing operations is allowed when the following conditions are met: The processing operations present similar high risks, which would result in very similar mitigating measures; The DPIA is reviewed and updated regularly to take into account any changes or new risks; The DPIA is complemented by ad hoc assessments where necessary to address more specific issues. The WP29 guidance cites the example of a railway operator who plans to evaluate the same video surveillance in all the train stations of his company as a case where a single DPIA would be sufficient, provided that the above conditions are met2. The other options do not meet these conditions, as they involve different types of processing operations, different purposes, different data subjects, or different technologies. Reference: WP29 guidance on DPIA WP29 guidance on DPIA, page 16
Question 61
When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?
