A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper’s website. Unfortunately, the prank is the top search result when a user searches on the victim’s name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

The European Parliament jointly exercises legislative and budgetary functions with which of the following?

SCENARIO Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more informati

Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?

Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

Read the following steps: Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following?

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Which of the following was the first to implement national law for data protection in 1973?

SCENARIO Please use the following to answer the next question: TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business. During negotiations, a Techiva representative

SCENARIO Please use the following to answer the next question: Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including childr

When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?