CIPP/E Chapter 1 Quiz
-
Which was the first legally binding data protection instrument?
-
Convention 108
-
OECD Guidelines
-
Treaty of Libson
-
Data protection directive
-
.
- 2.
Which treaty created the EU?
-
Treaty of Maastricht
-
Treaty of Libson
-
Treaty of Rome
-
Treaty of European Union
Correct Answer
A. Treaty of MaastrichtExplanation
The Treaty of Maastricht is the correct answer because it is the treaty that officially created the European Union (EU). It was signed in 1992 and came into effect in 1993. The treaty established the EU as a political and economic union, laying the foundation for the creation of the euro currency, the development of a common foreign and security policy, and the expansion of the EU's membership. The Treaty of Maastricht marked a significant step towards European integration and the formation of the EU as we know it today.Rate this question:
-
- 3.
Which treaty promoted the European Charter of Fundamental human rights to the same legal status as other treaties, making it legally binding?
-
Treaty of Libson
-
Treaty of Rome
-
Treaty of European Union
-
Treaty of Maastricht
Correct Answer
A. Treaty of LibsonExplanation
The Treaty of Lisbon promoted the European Charter of Fundamental Human Rights to the same legal status as other treaties, making it legally binding. This treaty, signed in 2007 and entered into force in 2009, aimed to streamline and reform the functioning of the European Union. It strengthened the role of the EU institutions, enhanced the decision-making process, and increased the democratic accountability of the Union. One of the key provisions of the Treaty of Lisbon was the elevation of the Charter of Fundamental Human Rights to a legally binding document, ensuring the protection of human rights within the EU.Rate this question:
-
- 4.
Germany requires an organization with at least what number of employees to appoint a DPO?
-
9
-
15
-
50
-
150
Correct Answer
A. 9Explanation
Germany requires an organization with at least 9 employees to appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring compliance with data protection laws and regulations, as well as advising the organization on data protection matters. This requirement is in line with the European Union's General Data Protection Regulation (GDPR), which aims to protect the privacy and personal data of individuals within the EU. By appointing a DPO, organizations can demonstrate their commitment to data protection and ensure that they handle personal data in a responsible and lawful manner.Rate this question:
-
- 5.
Which treaty created the European Economic Area?
-
Treaty of Maastricht
-
Treaty of Libson
-
Treaty of Rome
-
Treaty of European Union
Correct Answer
A. Treaty of RomeExplanation
The Treaty of Rome created the European Economic Area. This treaty, signed in 1957, established the European Economic Community (EEC) which aimed to create a common market among its member states. The EEC aimed to promote economic integration, free movement of goods, services, capital, and labor, and to eliminate trade barriers among its member countries. The Treaty of Rome was a key step in the formation of the European Union and laid the foundation for the development of the single market.Rate this question:
-
- 6.
Which directive requires (and establishes) a data protection authority (DPA) in each member state?
-
Data protection directive
-
Data retention directive
-
Convention 108
-
General data protection regulation
Correct Answer
A. General data protection regulationExplanation
The correct answer is the General Data Protection Regulation (GDPR). The GDPR requires and establishes a data protection authority (DPA) in each member state. These DPAs are responsible for enforcing and overseeing the application of the GDPR within their respective countries. They play a crucial role in ensuring the protection of individuals' personal data and promoting compliance with the regulation.Rate this question:
-
- 7.
Which of the following is the Data Protection Directive?
-
95/46/EC
-
85/51/EC
-
71/45/EC
-
25/31/EC
Correct Answer
A. 95/46/ECExplanation
The correct answer is 95/46/EC. This is the Data Protection Directive that was adopted by the European Union in 1995. It sets out the principles and rules for the protection of personal data within the EU member states. The directive aims to harmonize data protection laws across the EU and ensure that individuals' privacy rights are respected. It outlines requirements for the processing, storage, and transfer of personal data, as well as the rights of individuals to access and rectify their personal data.Rate this question:
-
- 8.
When brexit occurs, UK will repeal which act?
-
European Communities Act (ECA)
-
Data Protection Act
-
Magnitsky Act
-
EU Withdrawal Act
Correct Answer
A. European Communities Act (ECA)Explanation
When Brexit occurs, the UK will repeal the European Communities Act (ECA). This act was enacted in 1972 and it incorporated EU law into UK law, giving EU law supremacy over national law. Repealing the ECA will signify the UK's departure from the EU and the end of the supremacy of EU law in the UK.Rate this question:
-
- 9.
Which treaty formally recognized the European Council as a EU institution?
-
Treaty of Maastricht
-
Treaty of Libson
-
Treaty of Rome
-
Treaty of European Union
Correct Answer
A. Treaty of LibsonExplanation
The Treaty of Lisbon formally recognized the European Council as a EU institution. The European Council is an important decision-making body within the EU, composed of the heads of state or government of EU member countries, along with the President of the European Commission. The treaty, signed in 2007 and entered into force in 2009, aimed to streamline and strengthen the EU's institutions and decision-making processes. It introduced changes to various EU treaties, including the recognition of the European Council as a formal institution.Rate this question:
-
- 10.
Which of the following are directly applicable to EU member states?
-
EU regulations
-
EU Directives
-
Guidelines
-
EU precedents
Correct Answer
A. EU regulationsExplanation
EU regulations are directly applicable to EU member states. Regulations are binding legislative acts that are directly applicable in all EU member states without the need for national implementation. They have a direct effect and are automatically binding and enforceable in each member state. Therefore, EU regulations have a direct impact on the laws and policies of EU member states.Rate this question:
-
- 11.
A data subject requests their data be deleted by an organziation. After reviewing, the organization determines they do not have any data on the data subect. Which is the appropriate response?
-
Respond and let the subject know they do not have data, and that the subject can contact their DPA to lodge a complaint
-
Do not respond
-
Respond and let the subject know they do not have data, and there is nothing more they can do
-
Respond and let the subject know they do not have data, and the subject can ask for a review but will be charged a nominal fee
Correct Answer
A. Respond and let the subject know they do not have data, and that the subject can contact their DPA to lodge a complaintExplanation
The appropriate response in this situation is to inform the data subject that the organization does not have any data on them and advise them to contact their Data Protection Authority (DPA) if they wish to lodge a complaint. This ensures that the data subject is informed about the status of their data and provides them with a recourse to address any concerns they may have.Rate this question:
-
- 12.
Which of the following is not a reason to decline a data subject's request for erasure of their data?
-
For the performance of a service
-
For legal claims (e.g. court cases)
-
For exercising the right of freedom of expression and information
-
For performance of a task carried out in public interest (research, public health, public interest)
Correct Answer
A. For the performance of a serviceExplanation
The reason "For the performance of a service" is not a valid reason to decline a data subject's request for erasure of their data because the right to erasure, also known as the right to be forgotten, allows individuals to request the deletion or removal of their personal data when there is no compelling reason for its continued processing. The performance of a service does not qualify as a legitimate reason to retain someone's personal data against their request for erasure.Rate this question:
-
- 13.
Which of the following is not a reason to decline a data subject's request for erasure of their data?
-
For social media purposes
-
For compliance with a legal obligation
-
For exercising the right of freedom of expression and information
-
For archiving purposes in public interest (research, scientific, statistical purposes)
Correct Answer
A. For social media purposesExplanation
The reason "For social media purposes" is not a valid reason to decline a data subject's request for erasure of their data because social media purposes do not outweigh an individual's right to have their personal data erased. The right to erasure is a fundamental right under data protection laws, and social media purposes do not fall under any of the exceptions mentioned in the question. Therefore, a data subject's request for erasure should be honored regardless of social media purposes.Rate this question:
-
- 14.
Which reason below is not a reason to not notify data subjects of a data breach?
-
Controller cannot prove data breach occurred
-
Controller has ensured the high risk from the data breach is likely to not materialize
-
Controller implemented appropriate protection methods to render data unintelligible to unauthorized users (e.g. encryption)
-
It would involve disproportionate effort
Correct Answer
A. Controller cannot prove data breach occurredExplanation
The reason "Controller cannot prove data breach occurred" is not a valid reason to not notify data subjects of a data breach because notification should be made regardless of whether the controller can prove the breach occurred. The purpose of notifying data subjects is to inform them about the breach and any potential risks or consequences they may face. Even if the controller is unable to provide concrete evidence of the breach, it is still important to notify data subjects in order to maintain transparency and allow them to take any necessary actions to protect their personal data.Rate this question:
-
- 15.
Who bust approve Binding Corporate Rules (BCRs) before they can be used?
-
Data Protection Authority
-
Executive Team
-
Outside Legal Counsel
-
The government where corporate HQ is located
Correct Answer
A. Data Protection AuthorityExplanation
Binding Corporate Rules (BCRs) are a set of legally binding internal rules that govern the transfer of personal data within a multinational company. These rules must be approved by the Data Protection Authority before they can be implemented. The Data Protection Authority is responsible for ensuring that the BCRs comply with applicable data protection laws and regulations, and that they provide adequate safeguards for the protection of personal data. Therefore, the Data Protection Authority must review and approve the BCRs before they can be used by the company.Rate this question:
-
- 16.
In which scenario is biometric data not covered under article 9?
-
Granting access
-
Identifying a person
-
Determining gender
-
Categorizing the individual
Correct Answer
A. Granting accessExplanation
Biometric data is not covered under Article 9 in the scenario of granting access. Article 9 of the General Data Protection Regulation (GDPR) prohibits the processing of special categories of personal data, including biometric data, unless certain conditions are met. However, when it comes to granting access, biometric data may be processed as it is necessary for authentication and security purposes. Therefore, in this scenario, the processing of biometric data is exempted from the restrictions of Article 9.Rate this question:
-
- 17.
Which of the following is not a power the DPA has?
-
Adjudicative power
-
Investigatory power
-
Corrective Power
-
Authorization and advisory power
Correct Answer
A. Adjudicative powerExplanation
The correct answer is "Adjudicative power." The DPA, or Data Protection Authority, is an organization responsible for enforcing data protection laws. Adjudicative power refers to the authority to make legal judgments and decisions. However, the DPA's main powers include investigatory power (conducting investigations into data breaches or privacy violations), corrective power (imposing fines or penalties for non-compliance), and authorization and advisory power (granting permissions or providing guidance on data protection matters). Adjudicative power, which involves making legal judgments, is not within the scope of the DPA's responsibilities.Rate this question:
-
- 18.
Which of the following is not considered employee monitoring?
-
Unique computer logins
-
Using a DLP tool
-
Setting up CCTV cameras in the office
-
Reviewing badge access
Correct Answer
A. Unique computer loginsExplanation
Unique computer logins are not considered employee monitoring because they are a basic security measure that allows employees to access their own computers and protect sensitive information. It is a standard practice for employees to have their own login credentials to ensure accountability and prevent unauthorized access. Employee monitoring, on the other hand, refers to the tracking and surveillance of employees' activities, such as monitoring their internet usage, email communications, or screen recording.Rate this question:
-
- 19.
Which EU institutions are responsible for voting on legislation?
-
The Council
-
European Parliament
-
European Commission
-
The Council of Europe
Correct Answer(s)
A. The Council
A. European ParliamentExplanation
The European Parliament and the Council of the European Union (often simply referred to as "The Council") are the two main institutions responsible for voting on and adopting legislation in the European Union. The European Commission proposes legislation, but it is the Parliament and the Council that debate, amend, and ultimately vote on the proposed laws. The Council of Europe is not an EU institution and does not have legislative powers in the EU.Rate this question:
-
- 20.
Which EU institution defines EU priorities and sets political direction?
-
European Council
-
European Commission
-
European Parliament
-
The Council
Correct Answer
A. European CouncilExplanation
The European Council is the correct answer because it is the EU institution that defines EU priorities and sets the political direction. It is made up of the heads of state or government of EU member countries, along with the President of the European Council and the President of the European Commission. The European Council meets regularly to discuss and make decisions on important issues and policies for the EU.Rate this question:
-
- 21.
Which is not a responsibility of the European Data Protection Supervisor?
-
Levies disciplinary actions against EU company management who violate privacy rules
-
Supervises the EU administration's processing of personal data to ensure compliance with privacy rules
-
Advises EU institutions and bodies on all aspects of personal data processing and related policies and legislation
-
Works with the national authorities of EU countries to ensure consistency in data protection
Correct Answer
A. Levies disciplinary actions against EU company management who violate privacy rulesExplanation
The European Data Protection Supervisor is responsible for supervising the EU administration's processing of personal data to ensure compliance with privacy rules, advising EU institutions and bodies on personal data processing and related policies and legislation, and working with national authorities of EU countries to ensure consistency in data protection. However, levying disciplinary actions against EU company management who violate privacy rules is not a responsibility of the European Data Protection Supervisor.Rate this question:
-
- 22.
Which European law harmonized data protection laws across member states?
-
Data Protection Directive
-
Convention 108
-
Data Privacy Directive
-
General Data Protection Regulation
Correct Answer
A. General Data Protection RegulationExplanation
The General Data Protection Regulation (GDPR) is a European law that standardizes data protection regulations across EU member states. It aims to protect the personal data of individuals within the EU by regulating how organizations collect, process, and store such data, enhancing privacy rights and ensuring data security and transparency.Rate this question:
-
- 23.
Which court oversees the 27 EU member states of the EU?
-
European Court of Justice
-
European Court of Human Rights
-
European Criminal Court of Justice
-
Convention 108
Correct Answer
A. European Court of JusticeExplanation
European Court of Human Rights is part of the Council of Europe, which has 47 members states (including Russia)Rate this question:
-
- 24.
Which of the following is the eCommerce Directive??
-
2000/31/EC
-
2002/58/EC
-
95/48/EC
-
2002/56/EC
Correct Answer
A. 2000/31/ECExplanation
The correct answer is 2000/31/EC. This directive, also known as the eCommerce Directive, is a European Union law that establishes certain legal rules for online services and electronic commerce in the internal market. It covers various aspects such as information society services, liability of intermediaries, electronic contracts, and electronic marketing. It aims to create a harmonized legal framework for online businesses and promote the development of the digital economy within the EU.Rate this question:
-
- 25.
The eCommerce Directive protects all of the following except which from illegal acts of their users
-
Application Developers
-
Telecoms
-
Social Networks
-
Website Operators
Correct Answer
A. Application DevelopersExplanation
The eCommerce Directive protects telecoms, social networks, and website operators from illegal acts of their users. However, it does not extend the same protection to application developers. This means that application developers can be held liable for any illegal activities or content that users engage in or share through their applications.Rate this question:
-
- 26.
An email provider would be legally protected if one of it's users threatened a policitician for a political decision under eCommerce Directive
-
True
-
False
Correct Answer
A. FalseExplanation
eCommerce Directive only applies to online economic activity. Using an email system to threaten a politician is not economic activity.Rate this question:
-
- 27.
Which is not an example of something performed by a data processor?
-
Defining personal data
-
Collecting personal data
-
Storing personal data
-
Deleting personal data
Correct Answer
A. Defining personal dataExplanation
A data processor is responsible for processing and managing personal data, such as collecting, storing, and deleting it. However, defining personal data is not a task performed by a data processor. Defining personal data is typically done by the data controller, who determines what types of data are considered personal and how they should be processed.Rate this question:
-
- 28.
Processors have fewer legal requirements than controllers
-
True
-
False
Correct Answer
A. TrueExplanation
Processors have fewer legal requirements than controllers because processors are entities that process personal data on behalf of the controller, whereas controllers determine the purposes and means of the processing. Controllers have more legal obligations and responsibilities under data protection laws, including the requirement to obtain consent from data subjects, implement appropriate security measures, and ensure compliance with data protection principles. Processors, on the other hand, have fewer direct legal obligations and primarily have to follow the instructions of the controller and implement appropriate security measures.Rate this question:
-
- 29.
Which data processing principal is least reliable?
-
Consent
-
Public Interest
-
Legitimate interest
-
Legal obligation
Correct Answer
A. ConsentExplanation
Consent is most unreliable because the data subject may withdraw consent at any time.Rate this question:
-
- 30.
A company can charge for responses to data subjects's exercise of rights
-
True
-
False
Correct Answer
A. TrueExplanation
If the subjects' requests are unfounded or excessive (repetitive), the controller may charge a reasonable fee or refuse the request. Controller bears the burden of proofRate this question:
-
- 31.
Which is the first law to require and establish DPAs in each member state?
-
Data protection directive
-
General data protection regulation
-
ECommerce directive
-
Convention 108
Correct Answer
A. Data protection directiveExplanation
The Data Protection Directive is the correct answer because it was the first law to require and establish Data Protection Authorities (DPAs) in each member state. This directive, adopted in 1995, aimed to protect individuals' personal data and ensure its free movement within the European Union. It established the framework for data protection laws in EU member states and required each state to set up an independent DPA to enforce and oversee compliance with the directive's provisions. The General Data Protection Regulation (GDPR) replaced the Data Protection Directive in 2018, further strengthening data protection laws in the EU.Rate this question:
-
Quiz Review Timeline (Updated): Jun 28, 2024 +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Jun 28, 2024Quiz Edited by
ProProfs Editorial Team -
Apr 28, 2020Quiz Created by
Randy
Back to top