To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.
The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Some new sample questions:
Question:
According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?
A. If the data subject access request was sent to an employee that is not involved in the processing of such requests.
B. If there is such a large amount of data that the controller cannot identify the data subject of the request.
C. If the controller is unable to use end-to-end encrypted emails for responding to such requests.
D. If the personal data was processed in the past but is no longer at the controller’s disposal at the time of the request.
Question:
In the EDPB’s Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, all of the following practices follow from the principles relating to the processing of personal data under EU data protection law EXCEPT?
A. Data ownership allocation.
B. Access control management.
C. Frequent pseudonymization key rotation.
D. Error propagation avoidance along the processing chain.
Question:
SCENARIO
Please use the following to answer the next question:
Gentle Hedgehog Inc. is a privately owned website design agency incorporated in
Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of customer service when sales people are interacting with customers.
Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye’s software provides powerful remote-monitoring capabilities, including 24/7 access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use a built-in verification technology involving facial recognition each time they log in.
All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.
Under what condition could the surveillance system be used on the personal devices of employees?
A. Only if the monitoring system is manufactured by a European vendor storing the monitoring data within the EU.
B. Only if the employees give valid consent and the monitoring is narrowly limited to their professional tasks.
C. Only if the cloud that stores the monitoring data is certified by the EDPB as GDPR compliant.
D. Only if the employer offers an adequate compensation for using the employee’s devices.
Question:
According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?
A. Only the supervisory authority of the EU member state in which the controller’s EU representative (pursuant to Article 27) is established.
B. Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.
C. Every supervisory authority of the EU member states where the controller is offering goods or services.
D. Every supervisory authority for which affected data subjects reside in their EU member state.
…..