• Home
  • Articles
  • Practice with CIPP-E Dumps for Certified Information Privacy Professional Certified Exam Questions & Answer [Q141-Q163]

Practice with CIPP-E Dumps for Certified Information Privacy Professional Certified Exam Questions & Answer [Q141-Q163]

Share

Practice with CIPP-E Dumps for Certified Information Privacy Professional Certified Exam Questions & Answer

REAL CIPP-E Exam Questions With 100% Refund Guarantee


IAPP CIPP-E certification exam is a valuable credential for privacy professionals who work in Europe or with European data. CIPP-E exam is designed to test the candidate’s knowledge of GDPR and data protection principles, and is offered by the world’s largest association of privacy professionals. Certified Information Privacy Professional/Europe (CIPP/E) certification is valid for three years and can be renewed by earning continuing education credits.

 

NEW QUESTION # 141
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  • A. An explanation of the security measures used when personal data is transferred to a third party.
  • B. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
  • C. An efficient means of providing written consent in member states where they are required to do so.
  • D. A privacy notice containing brief information whilst offering access to further detail.

Answer: D

Explanation:
A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice - the top layer - provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice - the bottom layer - covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23. References: 2


NEW QUESTION # 142
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva's legal responsibility as a processor?

  • A. They must report it to the supervisory authority.
  • B. They must conduct a full systems audit.
  • C. They must inform customers who have used the website.
  • D. They must report it to TripBliss Inc.

Answer: B


NEW QUESTION # 143
For which of the following operations would an employer most likely be justified in requesting the data subject's consent?

  • A. Assessing a potential employee's job application.
  • B. Processing an employee's health certificate in order to provide sick leave.
  • C. Operating a CCTV system on company premises.
  • D. Posting an employee's bicycle race photo on the company's social media.

Answer: D


NEW QUESTION # 144
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

  • A. Greece
  • B. Switzerland
  • C. Australia
  • D. Norway

Answer: B

Explanation:
Adequacy is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an 'essentially equivalent' level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary12.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection13. On 28 June 2021, the EU Commission published two adequacy decisions in respect of the UK: one for transfers under the EU GDPR; and the other for transfers under the Law Enforcement Directive (LED)2. These decisions contain the European Commission's detailed assessment of the UK's laws and systems for protecting personal data, as well as the legislation designating the UK as adequate. Both adequacy decisions are expected to last until 27 June 20252.
Among the four options given, only Switzerland has been granted an adequacy decision by the EU, which means that it will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary. Greece is a member state of the EU, so it does not need an adequacy decision to receive personal data from the EU. Norway is a member of the European Economic Area (EEA), which also includes Iceland and Liechtenstein, and has incorporated the GDPR into its national law, so it also does not need an adequacy decision. Australia has not been recognised as adequate by the EU, so transfers of personal data from the EU to Australia require appropriate safeguards or derogations13. Therefore, the correct answer is D. Switzerland. References:
https://pages.iapp.org/Free-Study-Guides_CIPPE-PPC-EU.html https://data-privacy-office.eu/courses/cipp-e- official-training-course/


NEW QUESTION # 145
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • B. The identity and contact details of the controller and the reasons the data is being collected.
  • C. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
  • D. The contact information of the controller and a description of the retention policy.

Answer: B

Explanation:
The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller's representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5.
Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory. References: 1: Article
13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and of the GDPR 4: Article 14(1)(a) and of the GDPR 5: Recital 60 of the GDPR


NEW QUESTION # 146
Which of the following is an accurate statement regarding the "one-stop-shop" mechanism of the GDPR?

  • A. It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings
  • B. It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.
  • C. It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.
  • D. It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.

Answer: D

Explanation:
The "one-stop-shop" mechanism of the GDPR is a system of co-operation and consistency procedures that aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the data protection authorities (DPAs) across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR1. The "one-stop-shop" mechanism applies to organisations that conduct cross-border data processing, which means that they process personal data in the context of the activities of their establishments in more than one member state, or that they target or monitor data subjects in more than one member state1. Under the "one-stop-shop" mechanism, such organisations will have to deal primarily with the DPA of the member state where they have their main establishment or their single establishment in the EU, which will act as their lead supervisory authority for all matters related to their cross-border data processing1. The lead supervisory authority will co-ordinate with other concerned supervisory authorities, which are the DPAs of the member states where the data subjects are affected by the data processing1. The lead supervisory authority will have the competence to adopt binding decisions regarding measures to ensure compliance with the GDPR, such as imposing administrative fines or ordering the suspension of data flows1. However, the "one-stop-shop" mechanism does not prevent the concerned supervisory authorities from acting against organisations in exceptional cases, even if they do not have any type of establishment in the member state of the respective authority1. These exceptional cases include the following situations2:
When a complaint is lodged with a supervisory authority, the subject matter relates only to an establishment in its member state or substantially affects data subjects only in its member state; When a supervisory authority is addressing a possible infringement related to the offering of goods or services to data subjects in its member state or to the monitoring of their behaviour in its member state; When a supervisory authority adopts provisional measures intended to produce legal effects in its own member state; When an urgent need to act arises in order to protect the rights and freedoms of data subjects. In these cases, the concerned supervisory authority will inform the lead supervisory authority and the other concerned supervisory authorities, and will try to reach a consensus on the action to be taken2. If no consensus is reached, the consistency mechanism will apply, which involves the intervention of the European Data Protection Board (EDPB) to issue a binding decision on the matter2. Therefore, option D is the correct answer. Reference: Art. 60 GDPR - Cooperation between the lead supervisory authority and the other supervisory authorities concerned, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)


NEW QUESTION # 147
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

  • A. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
  • B. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
  • C. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
  • D. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.

Answer: C


NEW QUESTION # 148
The Planet 49 CJEU Judgement applies to?

  • A. Cookies used only by third parties.
  • B. Cookies regardless of whether the data accessed is personal or not.
  • C. Cookies where the data accessed is considered as personal data only.
  • D. Cookies that are deemed technically necessary.

Answer: B


NEW QUESTION # 149
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

  • A. The European Parliament
  • B. The Article 29 Working Party
  • C. The European Commission
  • D. The European Council

Answer: C

Explanation:
Explanation/Reference: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/ adequacy-decisions_en


NEW QUESTION # 150
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago.
Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible.
Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

  • A. If the accuracy of the data is not an aspect that Louis is disputing.
  • B. If Accidentable also uses the data to conduct public health research.
  • C. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
  • D. If the data becomes necessary to defend Accidentable's legal rights.

Answer: C

Explanation:
Explanation/Reference:


NEW QUESTION # 151
With the issue of consent, the GDPR allows member states some choice regarding what?

  • A. The mechanisms through which consent may be communicated
  • B. The age at which children must be required to obtain parental consent
  • C. The circumstances in which silence or inactivity may constitute consent
  • D. The timeframe in which data subjects are allowed to withdraw their consent

Answer: B

Explanation:
The GDPR states that the parental consent mechanism generally applies when the child is younger than 16 years1. Processing personal data will be lawful only if the child's parent or custodian has consented to such processing2. However, Member States are allowed to lower this threshold in national legislation up to 13 years old3. This means that Member States have some choice regarding the age limit for children's consent, as long as it is not below 13 years. The GDPR also requires that the consent request is clear and understandable for the child, and that the controller makes reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility4. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Complying with the GDPR when vulnerable people use smart devices I hope this helps. If you have any other questions, please let me know. #.


NEW QUESTION # 152
Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

  • A. Visualization notice.
  • B. Layered notice.
  • C. Privacy dashboard notice
  • D. Just-in-lime notice.

Answer: C


NEW QUESTION # 153
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs' handling of customer personal data?

  • A. The data is sensitive.
  • B. The data is being used for a new purpose.
  • C. The data is being processed via a new means.
  • D. The data is uncategorized.

Answer: B

Explanation:
According to the GDPR, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes1. This means that data controllers must inform data subjects about the purposes of data processing and obtain their consent or rely on another lawful basis for processing. Data controllers must also respect the principle of data minimisation, which means that they should only collect and process personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed2.
In the scenario, Brady transfers his customers' personal data to Hermes Designs, a third-party contractor, for the purpose of providing web page design services. However, Hermes Designs uses the data for a new purpose, which is creating sample customized banner advertisements and conducting direct marketing to the customers. This new purpose is not compatible with the original purpose for which the data was collected and transferred, and it is not likely that the customers have consented to it or that there is another lawful basis for it. Moreover, Hermes Designs may be processing more personal data than what is necessary for the original purpose, such as the customers' business plans and preferences. Therefore, Brady should be concerned with Hermes Designs' handling of customer personal data, as it may violate the GDPR and expose him to legal risks and reputational damages.
Reference:
1: Art. 5(1)(b) GDPR Principles relating to processing of personal data
2: Art. 5(1) GDPR Principles relating to processing of personal data


NEW QUESTION # 154
If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?

  • A. The rules regarding the exercising of data subjects" rights.
  • B. The definition of a central contact point for data subjects.
  • C. The non-disclosure of the essence of their arrangement to data subjects
  • D. The rules to provide information to data subjects in Articles 13 and 14.

Answer: D


NEW QUESTION # 155
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

  • A. When paying a search engine company to give prominence to certain products and services within specific search results.
  • B. When emailing a customer to announce that his recent order should arrive earlier than expected.
  • C. When creating an untargeted pop-up ad on a website.
  • D. When calling a potential customer to notify her of an upcoming product sale.

Answer: A

Explanation:
The ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) are two EU laws that regulate different aspects of personal data processing. The ePD focuses on electronic communications and the use of cookies and similar technologies, while the GDPR covers the broader principles and rights of data protection. Both laws apply to any organization that processes personal data of individuals in the EU, regardless of where the organization is located.
Option D involves both electronic communication and personal data processing, and therefore requires compliance with both ePD and GDPR. Paying a search engine company to give prominence to certain products and services within specific search results implies the use of cookies or similar technologies to track the online behavior of users and target them with personalized ads. This requires the consent of the users under the ePD, as well as the provision of clear and comprehensive information about the purpose and scope of the data processing. Moreover, the organization must comply with the GDPR requirements for data protection by design and by default, data minimization, data security, data subject rights, and accountability.
Option A only involves the use of cookies or similar technologies, and therefore only requires compliance with the ePD. Creating an untargeted pop-up ad on a website does not involve the processing of personal data, as the ad is not based on the online behavior or preferences of the users. However, the organization must still obtain the consent of the users for the use of cookies or similar technologies, and provide them with clear and comprehensive information about the purpose and scope of the data processing.
Option B only involves the processing of personal data, and therefore only requires compliance with the GDPR. Calling a potential customer to notify her of an upcoming product sale involves the collection and use of the customer's personal data, such as name, phone number, and purchase history. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.
Option C only involves the processing of personal data, and therefore only requires compliance with the GDPR. Emailing a customer to announce that his recent order should arrive earlier than expected involves the use of the customer's personal data, such as name, email address, and order details. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure. Reference:
Free CIPP/E Study Guide, page 15, section 2.3.3
CIPP/E Certification, page 10, section 1.1.2
Cipp-e Study guides, Class notes & Summaries, document "CIPP/E Exam Summary 2023", page 42, section 2.3.3 ePrivacy: The EU's other data protection rule The New Rules of Data Privacy A guide to GDPR data privacy requirements A guide to the data protection principles


NEW QUESTION # 156
SCENARIO
Please use the following to answer the next question:
Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

  • A. HRYourWay was ultimately not selected
  • B. HRYourWay is not located in a third country.
  • C. ProStorage will obtain consent for all transfers.
  • D. ProStorage can rely on its Binding Corporate Rules

Answer: B

Explanation:
According to the GDPR, a transfer of personal data to a third country or an international organisation may take place only if the conditions laid down in Chapter V of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation1. A third country is any country outside of the European Union (EU) and the European Economic Area (EEA)2. Therefore, a transfer impact assessment is only required when personal data is transferred to a third country or an international organisation that does not provide an adequate level of data protection, as recognised by the European Commission3. HRYourWay is a German based company, and Germany is a member state of the EU and the EEA. Thus, HRYourWay is not located in a third country, and no transfer impact assessment is needed for transferring personal data to it. The other options are incorrect, as they are not relevant to the question of whether a transfer impact assessment is required or not. Reference:
GDPR, Chapter V
GDPR, Article 4 (24)
GDPR, Article 45


NEW QUESTION # 157
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

  • A. Consulted with the relevant data protection authority about potential privacy violations.
  • B. Consulted with the Information Security team to weigh security measures against possible server impacts.
  • C. Assessed potential privacy risks by conducting a data protection impact assessment.
  • D. Distributed a more comprehensive notice to employees and received their express consent.

Answer: C

Explanation:
A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals1. The GDPR requires controllers to conduct a DPIA before starting such processing activities1. In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees' computers, which could affect their privacy and other fundamental rights2. A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities12. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA. Reference: Data Protection Impact Assessment (DPIA) - GDPR.eu, Data protection impact assessments | ICO


NEW QUESTION # 158
A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country's laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use All of the following factors would be relevant for the company to consider EXCEPT'?

  • A. The technical, financial, and staff resources available to an authority m the third country concerned that may access the personal data to be transferred
  • B. The process of modernization in the third country concerned and their access to emerging technologies that rely on international transfers of personal data
  • C. Any onward transfers, such as transfers of personal data to a sub-processor in the same or another third country.
  • D. The contractual clauses between the data controller or processor established in the European Union
    /EEA and the recipient of the transfer established in the third country concerned

Answer: B


NEW QUESTION # 159
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

  • A. The group of undertakings must be comprised of organizations of similar sizes and functions.
  • B. The data protection officer must be located in the country where the data controller has its main establishment.
  • C. The group of undertakings must obtain approval from a supervisory authority.
  • D. The data protection officer must be easily accessible from each establishment where the undertakings are located.

Answer: D

Explanation:
According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12. This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34. The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What's different about a group data protection officer?, Data Protection Officers: What US Companies Need to Know - Cooley


NEW QUESTION # 160
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

  • A. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
  • B. Failure to process personal information in a manner compatible with its original purpose.
  • C. Failure to provide the means for a data subject to rectify inaccuracies in personal data.
  • D. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.

Answer: A

Explanation:
According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. References:
* GDPR Article 83
* GDPR Article 25
* GDPR Article 7
* GDPR Article 5
* GDPR Article 16


NEW QUESTION # 161
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago.
Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible.
Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Which statement accurately summarizes Bedrock's obligation in regard to Louis's data portability request?

  • A. Bedrock does not have a duty to transfer Louis's data to Zantrum if doing so is legitimately not technically feasible.
  • B. Bedrock does not have to transfer Louis's data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
  • C. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.
  • D. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

Answer: B

Explanation:
Explanation


NEW QUESTION # 162
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

  • A. A direct electronic message
  • B. A prominent advertisement in print media
  • C. A postal notification
  • D. A notice on a corporate blog

Answer: D

Explanation:
According to the WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'', the communication of a personal data breach to the data subjects should be clear, concise, transparent, easily accessible and understandable, and use clear and plain language. The communication should also be made as soon as reasonably feasible and in close cooperation with the supervisory authority. The guidelines provide some examples of methods that may be effective for communicating a breach to data subjects, such as a direct electronic message (e.g. email, SMS, direct message), a postal notification, a prominent advertisement in print media, or a notice on the homepage of the affected website. However, the guidelines also state that a notice on a corporate blog or social media would not be an effective method of communication, as it would not reach all the affected data subjects and would not allow them to take immediate action to protect themselves. Therefore, the correct answer is C. A notice on a corporate blog. Reference:
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'', pages 20-211


NEW QUESTION # 163
......


Achieving CIPP-E certification is a significant achievement for privacy professionals who are looking to advance their careers. It demonstrates a high level of knowledge and expertise in the field of data protection and can open up new opportunities for career progression. Additionally, maintaining the certification requires ongoing education and training, ensuring that certified professionals stay up-to-date with the latest developments in data protection laws and regulations.


The IAPP CIPP-E exam is formulated to ensure that the candidate has extensive knowledge of pan-European as well as national data security laws. The candidate also demonstrates their knowledge of main privacy terminologies and applicable concepts on how to protect personal data as well as protecting international data processes. The French and German versions of this test are ISO certified, and the evaluation has the ANSI/ISO certificate. Moreover, the exam is updated regularly to ensure that it tests the candidate on the most updated content in the industry. It encompasses important topics such as the EU-US Privacy Shield as well as the GDPR.

 

PDF Download IAPP Test To Gain Brilliante Result!: https://itcertspass.itcertmagic.com/IAPP/real-CIPP-E-exam-prep-dumps.html

Related Articles

more
IAPP CIPP-E Certification Practice Exam