DCPP-01 Sample Questions Answers

The vendor (data importer) in the third country, and not the exporter is responsible to put in place suitable model contractual clauses, and hence the exporter does not need to take any action.

Since the data is processed by the vendor outside the EU, the EU directive does not apply and hence there are no legal concerns

The data exporter needs to initiate model contractual clauses after obtaining approvals from data protection commissioner and have the vendor be a signatory on the same as data importer

The data importer need to notify about the transfer to data protection commissioner in the destination country and exporter need to similarly notify in the EU country of origin

Personal heuristic information

Public health information

Protected health information

Personal health information

Transfer of information is allowed to those who ensure the same level of data protection that is adhered to by the company as provided for under the Indian laws

The transfer of information is allowed only after taking approval of Chief Information Commissioner of India

The transfer of information is allowed only after taking approval of DeitY (Department of Electronics & Information Technology) in India

The transfer may be allowed only if it is necessary for the performance of the lawful contract or where the data subject has consented to data transfer

Right to Privacy Act

Right to Information Act

Right to Freedom of Speech and Expression

Right to Social Security

Protect the constitution

Penalize the organizations and impose fines for failure to protect privacy

Ensure peace in the society

Protect individual rights

Right to Internet

Privacy

Right to Information

Dispute resolution

“Intermediaries” as defined under the IT (Amendment) Act, 2008

Telecom Service Providers

Intelligence and Law Enforcement Agencies

Directorate of Revenue Intelligence (DRI)

A is the data controller since it collects data directly from X & Y

B is the data controller while A is the sub processor as B has outsourced the data collection and processing to A

B is the data controller that uses A as data processor to collect and process data of data subjects X and Y

Both A & B are data controllers since both need to maintain highest principles of data protection

Sexual orientation

Political affiliation

Religion and caste

Call Data Records (CDRs)

Fair information Privacy Practices of US, 1974

EU Data Protection Directive

Safe Harbor Framework

WTO’s Free Trade Agreement

Credit card number with expiry date

Bank account Information

Loan account Information

Income tax return file acknowledgement number

Collection of biometrics in India is a statutory requirement

Proper and adequate notification is not provided to data subjects before and during the collection of their personal information

Data subjects are not limited in their ability to exercise control over the ways their personal information is being used, once it has been shared by them as part of the projects

Citizens are being given the choice to opt out from submitting their biometric details and are allowed to complete the environment without submitting their biometrics

Social media

Mass surveillance

Use of secure wireless connections

Increase in digitization of personal information

PII is necessarily a single data element, not a combination of data elements, which can uniquely identify an individual

PII is a subset of Sensitive Personal Information

PII is any information about a legal entity including details of its registration or any information that may allow its easy identification

None of the above

National security adversely affected by such information

This information is detrimental to the stability of the ruling party in government

Detrimental effect on the public image of government agencies

In the absence of a public interest, such information may adversely impact the privacy of its officials

Only manual processing of personal data

Only electronic processing of personal data

The electronic or manual processing of personal information

None of the above

An individual sharing his/her information

A third party agency collects personal information

An organization that determines the means and purposes of data processing

Processor of data

Gramm-Leach-Bliley Act, 1999

Child online protection Act, 1998

Personal Information Protection and Electronic Documents Act (PIPEDA)

Sarbanes-Oxley Act, 2000

Religious Beliefs

Medical records and history

Sexual orientation

Password

Right to be informed prior to sharing of data

Right to modify data

Right to be forgotten

Right to object data collection and processing

It is a requirement mentioned in EU Data Protection Directive

It is a requirement mentioned in the OECD Privacy Framework

It is a requirement mentioned in the EU E-Commerce Directive

None of the above

Federal Data Protection Act, Germany

UK Data Protection Act

PIPEDA

Singapore Data Protection Act

No, since it is a free checkup camp for their welfare

Yes, in the any language as per the wishes of said hospital

No, since the law does not require the same in this case

Yes, in the language such women would understand

None of the above, since they are outsourcing the work to XYZ who will carry the liability going forward

All except V and VI

All except III

All of the above listed privacy principles

Right to Life and Personal liberty

Right to Opportunity

Right to Freedom of Speech and Expression

Right to Equality before law

EU Data Protection Directive

Canada’s PIPEDA

Australia’s ANPP

IT Act of India

Data sharing does not require consent from the consumers.

As soon as the GLBA privacy notice is disclosed initially and annually

FTC permission is required

Consumers' consent must be obtained first

Data collection through multiple modes and channels

Evolution of nimble and flexible business processes affecting access management

Regulatory requirements to issue privacy notice and data breach notification in specified format

Increasing focus on right to privacy

Right to be forgotten

Right to modify data

Right to be informed prior to sharing of data

Right to object data collection and processing

Online disclosure of "selective" information by a person that is publicly available

The process of obtaining information online that a person can control

People's concerns over the license agreements they sign with any company

People's concern over the way their personal information is used during online activities

Data privacy professionals are in high demand

Data flows across borders and outsourcing in a globalized world

Rapid growth of social networking sites, which are used to share a lot of personal information

Information about individuals having a greater economic value

Possible violation of ‘Collection Limitation’

Possible violation of ‘Use Limitation’

Risk of data subjects directly reaching to service provider

Data security controls in third party provider’s environment

As part of APEC, member countries do not need to sign binding treaties or directives on privacy

Personal information is not covered by the APEC privacy framework

Members of APEC do not cooperate with each other in the enforcement of privacy laws

APEC provides no regulations on e-commerce