CIPPE Latest Update -

CIPP/E Latest Update - 450 Questions and 100% Verified Correct Answers Guaranteed A+

Article 29 Working Party - Responsibilities - CORRECT ANSWER: 1. Draft opinions

• Outputs

-- Opinions -- Working documents -- Annual reports

• Spot divergences
• Issue recommendations
• Annual reports

BCR - Cons - CORRECT ANSWER: 1. Not self-certification yet

• Lack of DPAs' resources
• Top management buy-in required

BCR - Pros - CORRECT ANSWER: 1. Legal certainty

• Flexibility
• Reduced scrutiny
• Framework for global compliance program

BCR Requirements - CORRECT ANSWER: 1. Must apply generally throughout the

corporate group;

• System that guarantees awareness and implementation of the BCRS;
• Provide for self-audits;
• Set up a system by which individuals' complaints are dealt with by a clearly identified

representative or department;

• Contain clear duties of cooperation with DPAs.
• Contain provisions on liability and jurisdiction aimed at facilitating their practice

exercise.

• Corporate group must accept that individuals will be entitled to take action against the

group as well as to choose the jurisdiction.

• Individuals must be made aware that personal data is being communicated to other

members of the corporate group outside the EU.

Confidentiality and Security -- Practice - CORRECT ANSWER: In practice:

• Layered policy framework;
• Human factors;
• Physical environment;
• Information technology & communications; and
• Data processors 1 / 4

Confidentiality and Security -- Theory - CORRECT ANSWER: In theory, controllers

must implement appropriate technical and organizational measures to protect personal data.

Controllers are required to carry out a risk assessment when making decisions about controls. The risk assessment must reflect on the nature of the data that is to be processed, the threat vectors that challenge the data, and the harm that may result from a security breach.

Consent - CORRECT ANSWER: Freely given (i.e., they must have a genuine choice);

Specific (i.e., given specifically for the particular processing operation in question); and

Informed (i.e., data subject is given all the necessary details of the processing activity in a language and form he can understand)

Controller - CORRECT ANSWER: Natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.

Convention 108 v. OECD Guidelines - CORRECT ANSWER: Convention 108 differs

from the Guidelines in that it required signatories to take the necessary steps in their domestic legislation to apply the principles it lays down.

Council of Europe Convention for the Protection of Individuals with regard to Automatic

Processing of Personal Data - CORRECT ANSWER: Also known as Convention 108.

Was the first legally binding international instrument in the area of data protection.Convention 108 sets the standard for the protection of the personal data of individuals while also seeking to find a balance for the need to maintain the free flow of personal data for the purposes of international trade.

Council of the EU - CORRECT ANSWER: The main decision-making body of the EU,

having a central role in both political and legislative decisions. The Council's meetings are attend by one minister from each member state, where ministers have the power to commit their government.

Court of Justice of the European Union - CORRECT ANSWER: The judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect of actions taken by the European Commission against a member state or action taken by an individual to enforce his rights under EU law.

Data Protection Directive - Article 4(1)(a) - CORRECT ANSWER: The law of a member state applies when the data processing is carried out in the context of the activities of an establishment of the controller on the territory of the member state.

• / 4

Where the controller has establishments in more than one member state, it must follow each national law attributable to its data processing operations.

Data Protection Directive - Article 4(1)(c) - CORRECT ANSWER: The provision is

intended to allow a member state to apply its national data protection law to a controller who, although not established in the EU, makes use of equipment situated in that member state unless that equipment is used only for the purposes of transit though EU.

Data Protection Directive (95/46/EC) - CORRECT ANSWER: Sets out general

principles and leaves member states to implement these as they see fit.

Data Protection Principles - CORRECT ANSWER: 1. Fairness and lawfulness

• Purpose limitation (AKA principle of finality)
• Proportionality
• Data quality

Data Quality - CORRECT ANSWER: The principle has two distinct aspects:

• Accuracy of the data--data controllers must ensure that personal information is

accurate when collected and remains accurate afterwards.

• Data retention--the Directive requires data controllers to delete irrelevant or

unnecessary information after considering the purposes for which the data was collected or for which it is further processed.

Data Retention Directive (2006/24/EC) - CORRECT ANSWER: Retention of data

generated or processed in connection with the provision of publicly available electronic communications services or of public communication networks amends the relevant data retention provisions of the e-Privacy Directive.

The Directive does not cover retention of the actual content of communications--rather it applies to traffic and location data of both individuals and organizations, as well as to the relevant data necessary to identify the subscriber or registered user.

Data Subjects Rights - "Reasonable Interval" - CORRECT ANSWER: Generally interpreted as once a year, although it may be as short as once every six months (as is the case in Denmark).

Data Subjects Rights - CORRECT ANSWER: 1. Right to access;

• Right to obtain rectification, erasure, or blocking;
• Right to object to the processing;
• Right to object to direct marketing;
• Right not to be subject to fully automated decisions
• / 4

DPA Notification - CORRECT ANSWER: Immediate requirement is to notify the relevant national data protection authorities that the organization intends to process personal information.

DPA Notification -- Prior Authorization - CORRECT ANSWER: Prior checking is carried out by the national DPA following receipt of a notification from the data controller or data protection official. Typically, this requirement for prior checking takes place when judicial data or "sensitive" personal data is due to be processed.

DPA Notification Obligation Purposes - CORRECT ANSWER: 1. Foster transparency;

• Assists the DPAs with regulatory functions; and
• Source of funds

DPAs' Powers and Responsibilities - CORRECT ANSWER: 1. Investigative powers

• Powers of intervention
• Power to engage in legal proceedings
• Receiving and dealing with complaints
• Annual reports
• International cooperation

E-Privacy Directive - CORRECT ANSWER: Concerns the processing of personal data

and the protection of privacy in the electronic communications sector and covers all forms of electronic communications.

E-Privacy Directive Amendment - CORRECT ANSWER: The changes generally relate

to the introduction of mandatory notification of personal data breaches by electronic communications services provider. Perhaps the most pertinent and controversial amendment concerns the new provision affecting cookies: the storing of information (or the gaining of access to information already stored) in the terminal equipment of a subscriber or user is allowed only on the condition that the user concerned has given consent, having been provided with clear and comprehensive information.

European Commission - CORRECT ANSWER: Described as the executive body of the

EU. It implements the EU's decisions and politics, but it also has other broad functions, including the power to initiate legislation.

European Convention on Human Rights - CORRECT ANSWER: Treaty drawn up by the

Council of Europe that protects fundamental rights. Adopted in 1953 and based on the Universal Declaration of Human Rights.

European Convention on Human Rights - Article 10 - CORRECT ANSWER: Protects

the right of freedom of expression and the right to share information and ideas across national boundaries.

European Convention on Human Rights - Article 8 - CORRECT ANSWER: Protects

rights of individuals

• / 4