Download FULL CIPP/E FINAL EXAM TEST BANK LATEST 200+ QUESTIONS & CORRECT ANSWERS WITH RATIONALES and more Exams Nursing in PDF only on Docsity!
FULL CIPP/E FINAL EXAM TEST BANK LATEST 200+
QUESTIONS & CORRECT ANSWERS WITH RATIONALES
GRADED A+
Accountability - CORRECT ANSWER >>> The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles. Accuracy - CORRECT ANSWER >>> Organizations must take every reasonable step to ensure the data processed is this and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation. Adequate Level of Protection - CORRECT ANSWER >>> A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures this by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection
rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data. Annual Reports - CORRECT ANSWER >>> The requirement under the GDPR that the European Data Protection Board and each supervisory authority periodically report on their activities. The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include guidelines, recommendations, best practices and binding decisions. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. Shall be made public and be transmitted to the European Parliament, to the Council and to the Commission. Anonymous Information - CORRECT ANSWER >>> In contrast to personal data, this is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR. Anti-discrimination Laws - CORRECT ANSWER >>> indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise. Appropriate Safeguards - CORRECT ANSWER >>> The GDPR refers to these in a number of contexts, including the transfer of personal data to third countries outside the European Union, the processing of special categories of data, and the processing of personal data in a law enforcement context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This may also refer to the use of encryption or pseudonymization, standard data protection clauses adopted by the Commission, contractual clauses authorized by a supervisory authority, or certification schemes or codes of conduct authorized by the Commission or a supervisory authority. Should ensure compliance with data protection
Availability - CORRECT ANSWER >>> Data is this if it is accessible when needed by the organization or data subject. The GDPR requires that a business be able to ensure this of personal data and have the ability to restore it and access to personal data in a timely manner in the event of a physical or technical incident. Background Screening/Checks - CORRECT ANSWER >>> Organizations may want to verify an applicant's ability to function in the working environment as well as assuring the safety and security of existing workers. Range from checking a person's educational background to checking on past criminal activity. Employee consent requirements for such checks vary by member state and may be negotiated with local works councils. Behavioral Advertising - CORRECT ANSWER >>> Most often done via automated processing of personal data, or profiling, the GDPR requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information. Binding Corporate Rules - CORRECT ANSWER >>> An appropriate safeguard allowed by the GDPR to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. Compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had these approved. Binding Safe Processor Rules - CORRECT ANSWER >>> Previously, the EU distinguished between these for controllers and processors. With the GDPR, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both Controllers and Processors.
Biometrics - CORRECT ANSWER >>> Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The GDPR, in Article 9, lists these for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances. Bodily Privacy - CORRECT ANSWER >>> One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person's physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches. Breach Disclosure (EU specific) - CORRECT ANSWER >>> The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects. Bundesdatenschutzgesetz-neu - CORRECT ANSWER >>> Germany's federal data protection act, implementing the GDPR. With the passage of the GDPR, it replaced a previous law with the same name and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the new version suggests a procedure for national data protection authorities to challenge adequacy decisions of the EU Commission. CCTV - CORRECT ANSWER >>> Has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns. Certification Mechanisms - CORRECT ANSWER >>> Introduced by the GDPR, a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. These must be developed by certifying bodies, approved by data protection authorities or the EDPB (European Data Protection Board),
data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent* of the data subject. Communications Privacy - CORRECT ANSWER >>> One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus. Confidentiality - CORRECT ANSWER >>> Data is this if it is protected against unauthorised or unlawful processing. The GDPR requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of this. Consent (EU specific) - CORRECT ANSWER >>> This privacy requirement is one of the fair information practices. In the GDPR, however, it is specifically one of the legal bases for processing personal data. According to the GDPR, for it to be valid, it must be: clearly distinguishable from other matters, intelligible, and in clear and plain language; freely given; as easy to withdraw as it was to provide; specific; informed; and unambiguous. Further, it must be a positive, affirmative action (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked boxes expressly not allowed. For certain special categories of data, as outlined in Article 9, explicit _________ is required for processing, a higher standard than unambiguous consent. Consistency Mechanism - CORRECT ANSWER >>> In order to ensure the consistent application of the GDPR throughout the European Union, the GDPR establishes this which allows member state supervisory authorities to cooperate with one another. The mechanism applies particularly where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several member states. When a member state supervisory authority intends to take action, such as approving a code of conduct or certification mechanism, it shall provide a draft to the EDPB (European Data Protection Board, and the
EDPB's members shall render an opinion on that draft, which the supervisory authority shall take into account and then either amend or decide to go forward with the draft in its original form. Should there be significant difference in opinion, the dispute resolution mechanism will be triggered. Content Data - CORRECT ANSWER >>> The text, images, etc., contained within any communication message, such as an email, text, or instant message on any given communications platform. Specifically used often to distinguish from metadata. The ePrivacy Directive and draft ePrivacy Regulation protect the confidentiality of this. Contractual Clauses - CORRECT ANSWER >>> Adopted either directly by the European Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission, these are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers. Convention 108 - CORRECT ANSWER >>> A legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information. Cookie - CORRECT ANSWER >>> A small text file stored on a client machine that may later be retrieved by a web server from the machine. Allow web servers to keep track of the end user's browser activities, and connect individual web requests into a session. Can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. May be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session ___________" if they are deleted when a session ends, or "persistent ___________" if they remain longer. Notably, the GDPR lists this latter category, so-called "identifiers," as an example of personal information. The use is regulated both by the GDPR and the* ePrivacy Directive* Cookie Directive - CORRECT ANSWER >>> An amendment made to the European Union's
which laid the foundations for the EU, and works with the European Parliament to create EU law. Cross-border Data Transfers (EU specific) - CORRECT ANSWER >>> Transfers of personal data to any country outside the European Economic Area (EEA) may only take place subject to the condition that the third country ensures an adequate level of protection for the personal data as determined by the European Commission. It also applies to onward transfers — from one third country or international organisation to another (outside the EEA). In the absence of an adequacy finding, organizations must use other mechanisms, such as binding corporate rules, contractual clauses, or certification, for lawful transfer. Data Breach Notification (EU specific) - CORRECT ANSWER >>> The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects. Data Elements - CORRECT ANSWER >>> A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that these in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data. Data Controller - CORRECT ANSWER >>> The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, this or the specific criteria for its nomination may be provided for by EU or member state law. Data Portability - CORRECT ANSWER >>> In certain circumstances, generally where data processing is done on the basis of consent or a contract, data subjects have the right to receive their personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.
Data Processor - CORRECT ANSWER >>> A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing. Data Protection Authority (EU specific) - CORRECT ANSWER >>> A term often used to refer to a supervisory authority Data Protection by Default - CORRECT ANSWER >>> The implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. Such organizational measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, and enabling the data subject to monitor the data processing. Data Protection by Design - CORRECT ANSWER >>> When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. Data Protection Commissioner - CORRECT ANSWER >>> The title given in some member states to the supervisory authority EU Data Protection Directive (95/46/EC) - CORRECT ANSWER >>> Was replaced by the
with EU or member state law shall not be regarded as recipients*, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. Data Subject - CORRECT ANSWER >>> An identified or identifiable natural person. De-identification - CORRECT ANSWER >>> An action that one takes to remove identifying characteristics from data. Derogation - CORRECT ANSWER >>> In the context of European Union legislation interacting with member state law, a place in an EU-wide regulation where individual member states are left to make their own law or have the option to deviate. Can also simply refer to an exception to a certain basic rule or principle. Direct Marketing (EU specific) - CORRECT ANSWER >>> In the context of data protection law, can be defined as personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organisations. While it is offered in the GDPR as an example of processing for the legitimate interest of an organization, it also says the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such marketing. Disclosure - CORRECT ANSWER >>> The provision of access to personal data. Dispute Resolution - CORRECT ANSWER >>> In the context of the consistency mechanism (see Consistency Mechanism), the European Data Protection Board, EDPB, can issue binding decisions on: objections to lead authority decisions, on disputes about which supervisory authority should be the lead authority, and where there has been a failure to request the EDPB's opinion under Article 64 or the opinion is not followed. Durant v. Financial Services Authority - CORRECT ANSWER >>> A court case in which the
Court of Appeal of the United Kingdom narrowed the definition of personal data under the Data Protection Act of 1998. It established a two-stage test; the information must be biographical in a significant sense and the individual must be the focus of the information. Electronic Communications Network - CORRECT ANSWER >>> Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals; networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed. In the discussions surrounding the update of the ePrivacy Directive to the ePrivacy Regulation, so-called "over the top" providers, like app-based messaging services, are beginning to be considered as part of the ECN. Employee Personal Data - CORRECT ANSWER >>> Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing this. These rules must include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Consent and Employee Personal Data - CORRECT ANSWER >>> Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data. Erasure - CORRECT ANSWER >>> Article 17(1) of the GDPR establishes that data subjects have this right of their personal data if: the data is no longer needed for its original purpose and no new lawful purpose exists; the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists; the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing; the data has been processed unlawfully; or this is necessary for compliance with EU law or the national law of the relevant member state.
the Commission is entitled to send a delegate to its meetings. It's role is to ensure the consistent application of the Regulation and, in addition to supporting cooperation between the regulators and applying the consistency mechanism, it shall publish advice, guidance, recommendations and best practices. The supervisory authorities elect a chairperson, with certain powers, from amongst their membership. European Data Protection Supervisor - CORRECT ANSWER >>> An independent supervisory authority for the European Union as an entity, ensuring the EU institutions, such as the Parliament, Commission, and Council of the European Union, protect the rights and freedoms of data subjects. Acts as secretariat to the European Data Protection Board* (see European Data Protection Board). Giovanni Buttarelli and Wojciech Wiewiórowski have been appointed Supervisor and Assistant Supervisor respectively by a joint decision of the European Parliament and the Council. Appointed for a five-year term, they took office on 4 December 2014. European Economic Area - CORRECT ANSWER >>> An economic region that includes the European Union (EU) and Iceland, Norway and Liechtenstein—which are not official members of the EU but are closely linked by economic relationship. Non-EU countries in this are required to adopt EU legislation regarding the single market. European Economic Community - CORRECT ANSWER >>> Created by the Treaty of Rome, was a predecessor to the European Union that promoted a single economic market across Europe. European Parliament - CORRECT ANSWER >>> The only EU institution whose members are directly elected by citizens of individual member states, has four responsibilities— legislative development, supervisory oversight of other institutions, democratic representation and budget development. European Union - CORRECT ANSWER >>> replaced the EEC, which was created by the Treaty of Rome and first promoted a single economic market across Europe. Currently comprises 28 member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
Factortame - CORRECT ANSWER >>> A 1989 case brought before the European Court of Justice which established the precedence of EU law over national laws of member states in areas where the EU has competence. Spanish fisherman Fairness - CORRECT ANSWER >>> One of three requirements established by the GDPR for the processing of personal data: The first principle of processing personal data is "lawfulness, fairness, and transparency," which states that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. Linked most often with transparency, means data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights. Consent notices should not contain unfair terms and supervisory authority powers should similarly be exercised fairly. Four Classes of Privacy - CORRECT ANSWER >>> bodily privacy (invasion - genetic / drug testing*, body cavity searches) communications privacy (protection of correspondence) information privacy (when, how, extent data is shared) territorial privacy (intrude into another individual's environment) Freely Given - CORRECT ANSWER >>> The GDPR requires that consent be a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject must have a genuine choice, must be able to refuse or withdraw consent without fear of consequence. Where there is a power imbalance, as in an employer-employee relationship, for example, it's likely that consent cannot be freely given. Gaskin v. United Kingdom - CORRECT ANSWER >>> A judgment delivered by the ECHR (European Court of Human Rights) in 1989 held that the restriction of the applicant's access to his personal file was contrary to Article 8 of the Convention, citing a breach of right to respect for his family and private life. Case related to abuse whilst in social services care
Information Life Cycle - CORRECT ANSWER >>> Recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction. Information Privacy - CORRECT ANSWER >>> One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others. Information Security - CORRECT ANSWER >>> The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information. Integrity - CORRECT ANSWER >>> The GDPR requires that controllers and processors implement measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. This refers to the consistency, accuracy and trustworthiness of the data (see Accuracy). Internet Protocol Address (EU specific) - CORRECT ANSWER >>> Listed within the GDPR as a form of personal information, a unique string of numbers that identifies a computer on the Internet or other TCP/IP network. The address is expressed in four groups of up to three numbers, separated by periods. For example: 123.123.23.2. An address may be "dynamic," meaning that it is assigned temporarily whenever a device logs on to a network or an Internet service provider and consequently may be different each time a device connects. Alternatively, an address may be "static," meaning that it is assigned to a particular device and does not change, but remains assigned to one computer or device.
Internet Service Provider - CORRECT ANSWER >>> A company that provides Internet access to homes and businesses through modem dial-up, DSL, cable modem broadband, dedicated T1/T3 lines or wireless connections. ISO (International Organization for Standardization) 27001 - CORRECT ANSWER >>> The standard is a code of practice for implementing an information security management system, against which organizations can be certified. ISO (International Organization for Standardization) 27002 - CORRECT ANSWER >>> The standard is a code of practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities". It can be considered a guide to implementing ISO 27001 Joint Operations - CORRECT ANSWER >>> A reference to joint investigations and joint enforcement measures in which members or staff from the supervisory authorities of multiple member states are involved. The GDPR requires supervisory authorities to work with one another when processing operations affect data subjects in multiple member states. Law Enforcement Authority (EU specific) - CORRECT ANSWER >>> A body sanctioned by local, regional or national governments to enforce laws and apprehend those who break them. In Europe, are governed by strict rules of criminal procedure designed to protect the fundamental human right to privacy enshrined in Article 8 of the European Convention on Human Rights (ECHR). In the arena of data protection, law enforcement is governed by the Directive on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purpose of Law Enforcement (Directive 2016/680), which came into force in April 2016. Law Enforcement Directive - CORRECT ANSWER >>> Technically Directive 2016/680, or the Directive on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Law Enforcement, this is the EU law governing the handling of personal data by competent law enforcement authorities. Each member state
