• Home
  • Blogs
  • CIPP-E Dumps with Practice Exam Questions Answers [Q100-Q121]

CIPP-E Dumps with Practice Exam Questions Answers [Q100-Q121]

Share

CIPP-E Dumps with Practice Exam Questions Answers

CIPP-E by Certified Information Privacy Professional Actual Free Exam Practice Test


What is the Solution for IAPP CIPP/E Exam

For the preparation of IAPP Certification exams, first there are the Online Web Simulator and Mobile App that are suitable for understanding real exam environment after that there are real exam questions that give confidance to pass exam. Smart Candidates who intend to construct a solid structure in all exam topics and relevant technologies usually combine video clip lectures with study guides to reap the benefits of both yet there is one critical prep work device as often neglected by a lot of candidates the method exams. Method exams are developed to make students comfy with the actual exam setting. Statistics have actually shown that many pupils stop working not because of that prep work however, because of exam stress and anxiety the worry of the unknown. TestKingIT Specialist Group suggests you prepare some notes on these topics together with it do not forget to exercise IAPP CIPP/E Exam exam dumps which had been created by our expert team, Both these will certainly assist you a great deal to remove this exam with great marks.


The CIPP-E exam is recognized globally as a leading certification program for privacy professionals. It is designed to help individuals develop a deep understanding of the legal and regulatory framework surrounding data protection in Europe. Certified Information Privacy Professional/Europe (CIPP/E) certification is awarded by the International Association of Privacy Professionals (IAPP), a nonprofit organization that is dedicated to promoting privacy and data protection practices around the world.

 

NEW QUESTION # 100
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

  • A. The European Parliament
  • B. The European Commission
  • C. The European Council
  • D. The Article 29 Working Party

Answer: B

Explanation:
Reference https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/ adequacy-decisions_en


NEW QUESTION # 101
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

  • A. The destruction of the stolen data makes any risk to the affected data subjects unlikely.
  • B. The resulting obligation to notify data subjects would involve disproportionate effort.
  • C. The incident resulted from the actions of a third-party that were beyond their control.
  • D. The sensitivity of the categories of data involved in the incident was not substantial enough.

Answer: A

Explanation:
According to the GDPR, data controllers must report personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art 33 of GDPR). However, the notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art 33(1) of GDPR). In this case, TripBliss Inc. could argue that the stolen data was securely erased by Leon before it could be disclosed to anyone else, and therefore the risk of harm to the data subjects was minimal. TripBliss Inc. would have to provide evidence of the secure deletion of the data and the absence of any copies or backups. Alternatively, TripBliss Inc. could also invoke the exception of disproportionate effort to avoid notifying the data subjects directly, but only if they have made a public communication or similar measure to inform them in an equally effective manner (Art 34(3)(b) of GDPR). The other options are not valid defenses, as they do not affect the likelihood of risk to the data subjects. The incident was not caused by a third-party, but by an employee of Techiva, who was acting as a data processor on behalf of TripBliss Inc. As the data controller, TripBliss Inc. is responsible for ensuring that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with the GDPR (Art 28 of GDPR). The sensitivity of the data categories is not relevant for the notification obligation, as any personal data breach could pose a risk to the data subjects, depending on the circumstances. The GDPR does not provide a threshold for the sensitivity of the data, but rather requires a case-by-case assessment of the potential impact of the breach. Reference:
GDPR, Art 33, Art 34, Art 28
Free CIPP/E Study Guide, p. 15
European Data Protection Law & Practice, p. 123-124
Personal data breach notification under the GDPR


NEW QUESTION # 102
To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?

  • A. Compliant with the security principle, because the data base is password-protected.
  • B. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.
  • C. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
  • D. Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.

Answer: C

Explanation:
The GDPR requires that the processor only processes personal data on behalf of the controller and according to the controller's instructions12. The agreement between the controller and the processor must include provisions that ensure that the processor does not process personal data for any other purposes or in a manner that is inconsistent with the controller's instructions34. Therefore, if the processor stores personal data that is not necessary for the performance of the contract with the controller, such as the social network followers of the client, this is a breach of the GDPR and the processor may be fined2. The fact that the data base is password-protected does not affect the applicability of the GDPR or the security principle, as the data is still personal data that can identify data subjects. The storage limitation principle also requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed, so deleting the data base after the audit does not make the situation compliant. Reference: 1: Article 28 of the GDPR 2: Guidelines 07/2020 on the concepts of controller and processor in the GDPR 3: Understanding Controller-to-Processor Agreements - GDPR Advisor 4: New Guidelines on Data Controllers and Processors: Time to Review Data Processing Agreements : Article 4 of the GDPR : Article 5 of the GDPR


NEW QUESTION # 103
The GDPR requires controllers to supply data subjects with detailed information about the processing of their dat a. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

  • A. The right to lodge a complaint with a supervisory authority.
  • B. The rights of access, erasure, restriction, and portability.
  • C. The categories of personal data concerned.
  • D. The recipients or categories of recipients.

Answer: C

Explanation:
According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. Reference:
Art. 13 GDPR - Information to be provided where personal data are collected from the data subject Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject Article 13: Information to be provided where personal data are collected from the data subject - GDPR


NEW QUESTION # 104
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article
3?

  • A. Personal data of EU residents being processed by a non-EU business that targets EU customers.
  • B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
  • C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  • D. The behavior of suspected terrorists being monitored by EU law enforcement bodies.

Answer: B

Explanation:
Explanation/Reference: https://hsfnotes.com/data/2019/12/02/edpb-adopts-final-guidelines-on-gdpr-extra-territoriality/


NEW QUESTION # 105
SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U's forms?

  • A. Eliminate the fields, as they are not proportional to the services being offered.
  • B. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.
  • C. Make all the fields optional.
  • D. Only request the information in brackets (i.e., age group and salary range).

Answer: B


NEW QUESTION # 106
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

  • A. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
  • B. When an individual's details are obtained from their inquiries about buying a product.
  • C. When an individual has not consented to the marketing.
  • D. Where an individual's details have been obtained from a bought-in marketing list.

Answer: B

Explanation:
The "soft opt-in" rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:
the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient; the sender only sends direct marketing relating to its own similar products or services; and the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.
The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual's details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the "soft opt-in" rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. Reference: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR


NEW QUESTION # 107
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

  • A. A mandatory notification for personal data breaches applicable to all data controllers.
  • B. A voluntary notification for personal data breaches applicable to all data controllers.
  • C. A voluntary notification for personal data breaches applicable to electronic communication providers.
  • D. A mandatory notification for personal data breaches applicable to electronic communication providers.

Answer: D

Explanation:
The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. Reference: e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches


NEW QUESTION # 108
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

  • A. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
  • B. Name and contact details of each controller on behalf of which the processor is acting.
  • C. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
  • D. Categories of processing carried out on behalf of each controller for which the processor is acting.

Answer: A

Explanation:
According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:
the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D. Reference:
GDPR, Article 30(2)
GDPR, Article 35
ICO, Documentation1
ICO, Data protection impact assessments1


NEW QUESTION # 109
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

  • A. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.
  • B. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.
  • C. The terms of service shall also enumerate all applicable anti-money laundering few.
  • D. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

Answer: B


NEW QUESTION # 110
SCENARIO
Please use the following to answer the next question:
Ben is a member of the fitness club STAYFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Ben lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Ben was photographed while working out at a branch of STAYFIT in Frankfurt, Germany. At the time, Ben gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Ben no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Ben sends a letter to STAYFIT requesting that his image be removed from the website and all promotional materials. Months pass and Ben, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact STAYFIT through alternate channels, he decides to take action against the company.
Ben contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Submit a draft decision to other supervisory authorities for their opinion.
  • B. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
  • C. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
  • D. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.

Answer: B


NEW QUESTION # 111
Higher fines are assessed for GDPR violations due to which of the following?

  • A. Failure to appoint a data protection officer.
  • B. Violations of a data subject"s rights
  • C. Violations of a data controller's obligations to obtain a child's consent
  • D. Failure to notify a supervisory authority and data subjects of a personal data breach

Answer: B

Explanation:
The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as the intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements1. The lower tier of fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The lower tier of fines applies to infringements of the GDPR relating to the following aspects1:
The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43; The obligations of the certification body pursuant to Articles 42 and 43; The obligations of the monitoring body pursuant to Article 41 (4). The higher tier of fines can be up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The higher tier of fines applies to infringements of the GDPR relating to the following aspects1:
The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9; The data subjects' rights pursuant to Articles 12 to 22; The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; Any obligations pursuant to Member State law adopted under Chapter IX; Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1). Therefore, higher fines are assessed for GDPR violations due to violations of a data subject's rights, as these are among the infringements that fall under the higher tier of fines. Data subjects' rights are the rights granted to individuals whose personal data are processed by controllers or processors, such as the right to access, rectify, erase, restrict, object, or port their data, as well as the right to be informed, to withdraw consent, and to lodge a complaint1. Violations of these rights can cause significant harm to the data subjects and undermine the objectives of the GDPR. Therefore, option D is the correct answer. Reference: Art. 83 GDPR - General conditions for imposing administrative fines, Article 83 GDPR - GDPRhub


NEW QUESTION # 112
Which of the following is an accurate statement regarding the "one-stop-shop" mechanism of the GDPR?

  • A. It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.
  • B. It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.
  • C. It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.
  • D. It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings

Answer: A

Explanation:
The "one-stop-shop" mechanism of the GDPR is a system of co-operation and consistency procedures that aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the data protection authorities (DPAs) across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR1. The "one-stop-shop" mechanism applies to organisations that conduct cross-border data processing, which means that they process personal data in the context of the activities of their establishments in more than one member state, or that they target or monitor data subjects in more than one member state1. Under the "one-stop-shop" mechanism, such organisations will have to deal primarily with the DPA of the member state where they have their main establishment or their single establishment in the EU, which will act as their lead supervisory authority for all matters related to their cross-border data processing1. The lead supervisory authority will co-ordinate with other concerned supervisory authorities, which are the DPAs of the member states where the data subjects are affected by the data processing1. The lead supervisory authority will have the competence to adopt binding decisions regarding measures to ensure compliance with the GDPR, such as imposing administrative fines or ordering the suspension of data flows1. However, the "one-stop-shop" mechanism does not prevent the concerned supervisory authorities from acting against organisations in exceptional cases, even if they do not have any type of establishment in the member state of the respective authority1. These exceptional cases include the following situations2:
When a complaint is lodged with a supervisory authority, the subject matter relates only to an establishment in its member state or substantially affects data subjects only in its member state; When a supervisory authority is addressing a possible infringement related to the offering of goods or services to data subjects in its member state or to the monitoring of their behaviour in its member state; When a supervisory authority adopts provisional measures intended to produce legal effects in its own member state; When an urgent need to act arises in order to protect the rights and freedoms of data subjects. In these cases, the concerned supervisory authority will inform the lead supervisory authority and the other concerned supervisory authorities, and will try to reach a consensus on the action to be taken2. If no consensus is reached, the consistency mechanism will apply, which involves the intervention of the European Data Protection Board (EDPB) to issue a binding decision on the matter2. Therefore, option D is the correct answer. Reference: Art. 60 GDPR - Cooperation between the lead supervisory authority and the other supervisory authorities concerned, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)


NEW QUESTION # 113
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

  • A. Approved certifications.
  • B. Binding corporate rules.
  • C. Law enforcement requests.
  • D. Standard contractual clauses.

Answer: A


NEW QUESTION # 114
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
  • B. The contact information of the controller and a description of the retention policy.
  • C. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • D. The identity and contact details of the controller and the reasons the data is being collected.

Answer: D

Explanation:
Explanation/Reference: https://gdpr-info.eu/art-13-gdpr/


NEW QUESTION # 115
A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

  • A. If the data protection officer also manages the marketing budget.
  • B. If the data protection officer receives instructions from the data controller.
  • C. If the data protection officer is provided by the data processor.
  • D. If the data protection officer lacks ISO 27001 auditor certification.

Answer: D

Explanation:
Reference https://www.itgovernance.eu/fr-lu/data-protection-officer-dpo-under-the-gdpr-lu


NEW QUESTION # 116
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

  • A. To create and maintain records of processing activities.
  • B. To monitor compliance with other local or European data protection provisions.
  • C. To conduct Privacy Impact Assessments on behalf of the controller or processor.
  • D. To create procedures for notification of personal data breaches to competent supervisory authorities.

Answer: C

Explanation:
According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. Reference:
Article 35 of the GDPR
European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO Roles and Responsibilities of a Data Protection Officer


NEW QUESTION # 117
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

  • A. The establishment of a list of legitimate data processing criteria
  • B. The restriction of cross-border data flow
  • C. The synchronization of approaches to data protection
  • D. The creation of legally binding data protection principles

Answer: B


NEW QUESTION # 118
SCENARIO
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

  • A. Louis does not have the right to object to the use of his data because he previously consented to it.
  • B. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.
  • C. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.
  • D. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

Answer: D

Explanation:
Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
The GDPR states that "where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing" and that "where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."3 This right applies regardless of whether the data subject has previously consented to the use of his or her data, or whether the data are required for a legal claim or a legitimate interest. The data subject must be informed of this right clearly and separately from any other information at the time of the first communication with him or her, and must be provided with an easy way to exercise it.2 Therefore, Louis can object to the use of his data by Bedrock and Accidentable for direct marketing purposes, and they must stop processing his data for such purposes as soon as they receive his objection. Louis can also withdraw his consent for any other processing of his data that he has previously agreed to, such as sharing his data with Bedrock's affiliates.4


NEW QUESTION # 119
Select the answer below that accurately completes the following:
"The right to compensation and liability under the GDPR...

  • A. ...provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage."
  • B. ...is limited to a maximum amount of EUR 20 million per event of damage or loss."
  • C. ...can only be exercised against the data controller, even if a data processor was involved in the same processing."
  • D. ...precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing."

Answer: D

Explanation:
Reference https://gdpr-info.eu/art-82-gdpr/


NEW QUESTION # 120
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA.
Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

  • A. Notify its Data Protection Authority about the data breach.
  • B. Analyze and evaluate all of its breach notification obligations.
  • C. Notify all of its customers that reside in the European Union.
  • D. Analyze and evaluate the liability for customers in Ireland.

Answer: A


NEW QUESTION # 121
......

Free Certified Information Privacy Professional CIPP-E Exam Question: https://www.testkingit.com/IAPP/latest-CIPP-E-exam-dumps.html

CIPP-E dumps & Certified Information Privacy Professional sure practice dumps: https://drive.google.com/open?id=16McjPtBqER0qYZB437EIHnAe0qjnOXub

Related Blogs

more
IAPP CIPP-E Certification Practice Exam