1.
Which was the first legally binding data protection instrument?
Correct Answer
A. Convention 108
Explanation
Convention 108 was the first legally binding data protection instrument. It was adopted in 1981 by the Council of Europe and aimed to protect individuals' privacy and personal data. This convention established principles and rules for the collection, processing, and use of personal data by both public and private entities. It also emphasized the importance of individuals' rights and freedoms in relation to their personal data. Convention 108 has been influential in shaping data protection laws and regulations globally, and it continues to be a significant framework for ensuring privacy and data security.
2.
Which treaty created the EU?
Correct Answer
A. Treaty of Maastricht
Explanation
The Treaty of Maastricht is the correct answer because it is the treaty that officially created the European Union (EU). It was signed in 1992 and came into effect in 1993. The treaty established the EU as a political and economic union, laying the foundation for the creation of the euro currency, the development of a common foreign and security policy, and the expansion of the EU's membership. The Treaty of Maastricht marked a significant step towards European integration and the formation of the EU as we know it today.
3.
Which treaty promoted the European Charter of Fundamental human rights to the same legal status as other treaties, making it legally binding?
Correct Answer
A. Treaty of Libson
Explanation
The Treaty of Lisbon promoted the European Charter of Fundamental Human Rights to the same legal status as other treaties, making it legally binding. This treaty, signed in 2007 and entered into force in 2009, aimed to streamline and reform the functioning of the European Union. It strengthened the role of the EU institutions, enhanced the decision-making process, and increased the democratic accountability of the Union. One of the key provisions of the Treaty of Lisbon was the elevation of the Charter of Fundamental Human Rights to a legally binding document, ensuring the protection of human rights within the EU.
4.
Germany requires an organization with at least what number of employees to appoint a DPO?
Correct Answer
A. 9
Explanation
Germany requires an organization with at least 9 employees to appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring compliance with data protection laws and regulations, as well as advising the organization on data protection matters. This requirement is in line with the European Union's General Data Protection Regulation (GDPR), which aims to protect the privacy and personal data of individuals within the EU. By appointing a DPO, organizations can demonstrate their commitment to data protection and ensure that they handle personal data in a responsible and lawful manner.
5.
Which treaty created the European Economic Area?
Correct Answer
C. Treaty of Rome
Explanation
The Treaty of Rome created the European Economic Area. This treaty, signed in 1957, established the European Economic Community (EEC) which aimed to create a common market among its member states. The EEC aimed to promote economic integration, free movement of goods, services, capital, and labor, and to eliminate trade barriers among its member countries. The Treaty of Rome was a key step in the formation of the European Union and laid the foundation for the development of the single market.
6.
Which directive requires (and establishes) a data protection authority (DPA) in each member state?
Correct Answer
D. General data protection regulation
Explanation
The correct answer is the General Data Protection Regulation (GDPR). The GDPR requires and establishes a data protection authority (DPA) in each member state. These DPAs are responsible for enforcing and overseeing the application of the GDPR within their respective countries. They play a crucial role in ensuring the protection of individuals' personal data and promoting compliance with the regulation.
7.
Which of the following is the Data Protection Directive?
Correct Answer
A. 95/46/EC
Explanation
The correct answer is 95/46/EC. This is the Data Protection Directive that was adopted by the European Union in 1995. It sets out the principles and rules for the protection of personal data within the EU member states. The directive aims to harmonize data protection laws across the EU and ensure that individuals' privacy rights are respected. It outlines requirements for the processing, storage, and transfer of personal data, as well as the rights of individuals to access and rectify their personal data.
8.
When brexit occurs, UK will repeal which act?
Correct Answer
A. European Communities Act (ECA)
Explanation
When Brexit occurs, the UK will repeal the European Communities Act (ECA). This act was enacted in 1972 and it incorporated EU law into UK law, giving EU law supremacy over national law. Repealing the ECA will signify the UK's departure from the EU and the end of the supremacy of EU law in the UK.
9.
Which treaty formally recognized the European Council as a EU institution?
Correct Answer
B. Treaty of Libson
Explanation
The Treaty of Lisbon formally recognized the European Council as a EU institution. The European Council is an important decision-making body within the EU, composed of the heads of state or government of EU member countries, along with the President of the European Commission. The treaty, signed in 2007 and entered into force in 2009, aimed to streamline and strengthen the EU's institutions and decision-making processes. It introduced changes to various EU treaties, including the recognition of the European Council as a formal institution.
10.
Which of the following are directly applicable to EU member states?
Correct Answer
A. EU regulations
Explanation
EU regulations are directly applicable to EU member states. Regulations are binding legislative acts that are directly applicable in all EU member states without the need for national implementation. They have a direct effect and are automatically binding and enforceable in each member state. Therefore, EU regulations have a direct impact on the laws and policies of EU member states.
11.
A data subject requests their data be deleted by an organziation. After reviewing, the organization determines they do not have any data on the data subect. Which is the appropriate response?
Correct Answer
A. Respond and let the subject know they do not have data, and that the subject can contact their DPA to lodge a complaint
Explanation
The appropriate response in this situation is to inform the data subject that the organization does not have any data on them and advise them to contact their Data Protection Authority (DPA) if they wish to lodge a complaint. This ensures that the data subject is informed about the status of their data and provides them with a recourse to address any concerns they may have.
12.
Which of the following is not a reason to decline a data subject's request for erasure of their data?
Correct Answer
A. For the performance of a service
Explanation
The reason "For the performance of a service" is not a valid reason to decline a data subject's request for erasure of their data because the right to erasure, also known as the right to be forgotten, allows individuals to request the deletion or removal of their personal data when there is no compelling reason for its continued processing. The performance of a service does not qualify as a legitimate reason to retain someone's personal data against their request for erasure.
13.
Which of the following is not a reason to decline a data subject's request for erasure of their data?
Correct Answer
A. For social media purposes
Explanation
The reason "For social media purposes" is not a valid reason to decline a data subject's request for erasure of their data because social media purposes do not outweigh an individual's right to have their personal data erased. The right to erasure is a fundamental right under data protection laws, and social media purposes do not fall under any of the exceptions mentioned in the question. Therefore, a data subject's request for erasure should be honored regardless of social media purposes.
14.
Which reason below is not a reason to not notify data subjects of a data breach?
Correct Answer
A. Controller cannot prove data breach occurred
Explanation
The reason "Controller cannot prove data breach occurred" is not a valid reason to not notify data subjects of a data breach because notification should be made regardless of whether the controller can prove the breach occurred. The purpose of notifying data subjects is to inform them about the breach and any potential risks or consequences they may face. Even if the controller is unable to provide concrete evidence of the breach, it is still important to notify data subjects in order to maintain transparency and allow them to take any necessary actions to protect their personal data.
15.
Who bust approve Binding Corporate Rules (BCRs) before they can be used?
Correct Answer
A. Data Protection Authority
Explanation
Binding Corporate Rules (BCRs) are a set of legally binding internal rules that govern the transfer of personal data within a multinational company. These rules must be approved by the Data Protection Authority before they can be implemented. The Data Protection Authority is responsible for ensuring that the BCRs comply with applicable data protection laws and regulations, and that they provide adequate safeguards for the protection of personal data. Therefore, the Data Protection Authority must review and approve the BCRs before they can be used by the company.
16.
In which scenario is biometric data not covered under article 9?
Correct Answer
A. Granting access
Explanation
Biometric data is not covered under Article 9 in the scenario of granting access. Article 9 of the General Data Protection Regulation (GDPR) prohibits the processing of special categories of personal data, including biometric data, unless certain conditions are met. However, when it comes to granting access, biometric data may be processed as it is necessary for authentication and security purposes. Therefore, in this scenario, the processing of biometric data is exempted from the restrictions of Article 9.
17.
Which of the following is not a power the DPA has?
Correct Answer
A. Adjudicative power
Explanation
The correct answer is "Adjudicative power." The DPA, or Data Protection Authority, is an organization responsible for enforcing data protection laws. Adjudicative power refers to the authority to make legal judgments and decisions. However, the DPA's main powers include investigatory power (conducting investigations into data breaches or privacy violations), corrective power (imposing fines or penalties for non-compliance), and authorization and advisory power (granting permissions or providing guidance on data protection matters). Adjudicative power, which involves making legal judgments, is not within the scope of the DPA's responsibilities.
18.
Which of the following is not considered employee monitoring?
Correct Answer
A. Unique computer logins
Explanation
Unique computer logins are not considered employee monitoring because they are a basic security measure that allows employees to access their own computers and protect sensitive information. It is a standard practice for employees to have their own login credentials to ensure accountability and prevent unauthorized access. Employee monitoring, on the other hand, refers to the tracking and surveillance of employees' activities, such as monitoring their internet usage, email communications, or screen recording.
19.
Which EU institutions are responsible for voting on legislation?
Correct Answer(s)
A. The Council
B. European Parliament
Explanation
The European Parliament and the Council of the European Union (often simply referred to as "The Council") are the two main institutions responsible for voting on and adopting legislation in the European Union. The European Commission proposes legislation, but it is the Parliament and the Council that debate, amend, and ultimately vote on the proposed laws. The Council of Europe is not an EU institution and does not have legislative powers in the EU.
20.
Which EU institution defines EU priorities and sets political direction?
Correct Answer
A. European Council
Explanation
The European Council is the correct answer because it is the EU institution that defines EU priorities and sets the political direction. It is made up of the heads of state or government of EU member countries, along with the President of the European Council and the President of the European Commission. The European Council meets regularly to discuss and make decisions on important issues and policies for the EU.
21.
Which is not a responsibility of the European Data Protection Supervisor?
Correct Answer
A. Levies disciplinary actions against EU company management who violate privacy rules
Explanation
The European Data Protection Supervisor is responsible for supervising the EU administration's processing of personal data to ensure compliance with privacy rules, advising EU institutions and bodies on personal data processing and related policies and legislation, and working with national authorities of EU countries to ensure consistency in data protection. However, levying disciplinary actions against EU company management who violate privacy rules is not a responsibility of the European Data Protection Supervisor.
22.
Which European law harmonized data protection laws across member states?
Correct Answer
D. General Data Protection Regulation
Explanation
The General Data Protection Regulation (GDPR) is a European law that standardizes data protection regulations across EU member states. It aims to protect the personal data of individuals within the EU by regulating how organizations collect, process, and store such data, enhancing privacy rights and ensuring data security and transparency.
23.
Which court oversees the 27 EU member states of the EU?
Correct Answer
A. European Court of Justice
Explanation
European Court of Human Rights is part of the Council of Europe, which has 47 members states (including Russia)
24.
Which of the following is the eCommerce Directive??
Correct Answer
A. 2000/31/EC
Explanation
The correct answer is 2000/31/EC. This directive, also known as the eCommerce Directive, is a European Union law that establishes certain legal rules for online services and electronic commerce in the internal market. It covers various aspects such as information society services, liability of intermediaries, electronic contracts, and electronic marketing. It aims to create a harmonized legal framework for online businesses and promote the development of the digital economy within the EU.
25.
The eCommerce Directive protects all of the following except which from illegal acts of their users
Correct Answer
A. Application Developers
Explanation
The eCommerce Directive protects telecoms, social networks, and website operators from illegal acts of their users. However, it does not extend the same protection to application developers. This means that application developers can be held liable for any illegal activities or content that users engage in or share through their applications.
26.
An email provider would be legally protected if one of it's users threatened a policitician for a political decision under eCommerce Directive
Correct Answer
B. False
Explanation
eCommerce Directive only applies to online economic activity. Using an email system to threaten a politician is not economic activity.
27.
Which is not an example of something performed by a data processor?
Correct Answer
A. Defining personal data
Explanation
A data processor is responsible for processing and managing personal data, such as collecting, storing, and deleting it. However, defining personal data is not a task performed by a data processor. Defining personal data is typically done by the data controller, who determines what types of data are considered personal and how they should be processed.
28.
Processors have fewer legal requirements than controllers
Correct Answer
A. True
Explanation
Processors have fewer legal requirements than controllers because processors are entities that process personal data on behalf of the controller, whereas controllers determine the purposes and means of the processing. Controllers have more legal obligations and responsibilities under data protection laws, including the requirement to obtain consent from data subjects, implement appropriate security measures, and ensure compliance with data protection principles. Processors, on the other hand, have fewer direct legal obligations and primarily have to follow the instructions of the controller and implement appropriate security measures.
29.
Which data processing principal is least reliable?
Correct Answer
A. Consent
Explanation
Consent is most unreliable because the data subject may withdraw consent at any time.
30.
A company can charge for responses to data subjects's exercise of rights
Correct Answer
A. True
Explanation
If the subjects' requests are unfounded or excessive (repetitive), the controller may charge a reasonable fee or refuse the request. Controller bears the burden of proof
31.
Which is the first law to require and establish DPAs in each member state?
Correct Answer
A. Data protection directive
Explanation
The Data Protection Directive is the correct answer because it was the first law to require and establish Data Protection Authorities (DPAs) in each member state. This directive, adopted in 1995, aimed to protect individuals' personal data and ensure its free movement within the European Union. It established the framework for data protection laws in EU member states and required each state to set up an independent DPA to enforce and oversee compliance with the directive's provisions. The General Data Protection Regulation (GDPR) replaced the Data Protection Directive in 2018, further strengthening data protection laws in the EU.