• Home
  • Articles
  • [Q184-Q208] The Best Valid CIPP-E Dumps for Helping Passing CIPP-E Exam!

[Q184-Q208] The Best Valid CIPP-E Dumps for Helping Passing CIPP-E Exam!

Share

The Best Valid CIPP-E Dumps for Helping Passing CIPP-E Exam!

UPDATED IAPP CIPP-E Exam Questions & Answer


To prepare for the CIPP-E Exam, candidates can take advantage of the IAPP’s study materials, which include textbooks, online courses, and practice exams. These resources provide a comprehensive overview of the topics covered on the exam and can help candidates identify areas where they may need additional study. Additionally, candidates can attend training sessions and conferences to learn more about data privacy and network with other professionals in the field.


IAPP CIPP-E Certification Exam is a must-have certification for professionals who want to demonstrate their expertise in EU data protection laws and regulations. CIPP-E exam covers a wide range of topics and is ideal for privacy and security professionals, lawyers, and anyone else who is responsible for ensuring compliance with EU privacy laws. Passing the exam will validate your knowledge and demonstrate your commitment to protecting personal data in the EU.

 

NEW QUESTION # 184
In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

  • A. Storing all personal data within the borders of the European Union.
  • B. Adopting a risk-based approach and implementing supplementary measures as needed.
  • C. Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.
  • D. Obtaining explicit consent from each EU citizen for every individual data transfer.

Answer: B


NEW QUESTION # 185
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
To ensure GDPR compliance, what should be the company's position on the issue of consent?

  • A. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.
  • B. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.
  • C. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
  • D. Consent for data collection is implied through the parent's purchase of the action figure for the child.

Answer: B

Explanation:
According to Article 8 of the GDPR, where the processing of personal data is based on consent and the offer of an information society service (ISS) is directly made to a child, the processing is lawful only if the child is at least 16 years old, or if the consent is given or authorised by the holder of parental responsibility over the child. The GDPR allows EU member states to lower the age threshold to a minimum of 13 years. The data controller must make reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility, taking into account available technology. An ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Examples of ISS include online marketplaces, social media platforms, and online games.
In this scenario, the company is offering an ISS to children, as the connected toys can talk and interact with children via the internet. The company is also processing personal data of the children, such as their voice, questions, preferences, and location. Therefore, the company must obtain parental consent for the use of the action figures before any data can be collected, unless the child is above the age threshold set by the relevant EU member state. The company must also inform the parents and the children about the nature and purpose of the data processing, the data transfers to South Africa, and the rights of the data subjects. The company must also ensure that the data processing is fair, lawful, transparent, and in accordance with the data protection principles and the children's best interests.
The other options are incorrect because:
A) The child cannot provide consent himself, regardless of the purpose of the data processing, unless he is above the age threshold set by the relevant EU member state. The GDPR does not make any distinction between data processing for marketing or non-marketing purposes when it comes to children's consent.
B) The company does not need to obtain written authorization from the supervisory authority to process children's data, as long as it complies with the GDPR requirements and obtains parental consent. The supervisory authority is the independent public authority responsible for monitoring the application of the GDPR in each EU member state, and it can intervene only in cases of non-compliance or complaints.
C) Consent for data collection cannot be implied through the parent's purchase of the action figure for the child. The GDPR requires that consent must be freely given, specific, informed, and unambiguous, and that it must be expressed by a clear affirmative action. The purchase of a product does not meet these criteria, and it does not indicate the parent's agreement to the data processing. Moreover, the packaging of the toy does not provide sufficient information about the data processing, nor does it mention that an internet connection is required.


NEW QUESTION # 186
A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

  • A. A state law requires facial recognition to verify attendance.
  • B. The school gets explicit consent from the students.
  • C. Processing is necessary for the legitimate interests pursed by the school.
  • D. The school places a notice near each camera.

Answer: B


NEW QUESTION # 187
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

  • A. National data protection authorities.
  • B. The Council of the European Union.
  • C. Approved data controllers.
  • D. The European Data Protection Supervisor.

Answer: C

Explanation:
Explanation/Reference: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/ standard-contractual-clauses-scc_en


NEW QUESTION # 188
SCENARIO
Please use the following to answer the next question:
Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago.
Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers' data to third parties, and he's convinced that Erbium must have gotten his information from ABC.
Jason has also been receiving an increased amount of marketing information from ABC, trying to sell him their full range of their insurance policies.
Perturbed by this, Jason has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than ABC, even though he has been a loyal customer for many years. When his ABC policy comes up for renewal, he decides to switch to Xentron Insurance.
In order to activate his new insurance policy, Jason needs to supply Xentron with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask ABC to transfer his information directly to Xentron. He also takes this opportunity to ask ABC to stop using his personal data for marketing purposes.
ABC supplies Jason with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Jason it cannot transfer his data directly to Xentron at this is not technically feasible. ABC also explains that Jason's contract included a provision whereby Jason agreed that his data could be used for marketing purposes; according to ABC, it is too late for Jason to change his mind about this. It angers Jason when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Jason is still receiving unwanted calls from Erbium Insurance. He writes to Erbium to ask for the name of the organization that supplied his details to them. He warns Erbium that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Erbium's response letter confirms Jason's suspicions. Erbium is ABC's wholly owned subsidiary, and they received information about Jason's accident from ABC shortly after Jason submitted his accident claim.
Erbium assures Jason that there has been no breach of the GDPR, as Jason's contract included a provision in which he agreed to share his information with ABC's affiliates for business purposes.
Jason is disgusted by the way in which he has been treated by ABC, and writes to them insisting that all his information be erased from their computer system.
Which statement accurately summarizes ABC's obligation in regard to Jason's data portability request?

  • A. ABC has failed to comply with the duty to transfer Jason's data to Xentron because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.
  • B. ABC has failed to comply with the duty to transfer Jason's data to Xentron because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.
  • C. ABC does not have to transfer Jason's data to Xentron because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
  • D. ABC does not have a duty to transfer Jason's data to Xentron if doing so is legitimately not technically feasible.

Answer: C


NEW QUESTION # 189
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What must Zandelay provide to the supervisory authority during the prior consultation?

  • A. Records showing that customers have explicitly consented to the intended profiling activities.
  • B. An evaluation of the complexity of the intended processing.
  • C. Certificates that prove Martin's professional qualities and expert knowledge of data protection law.
  • D. An explanation of the purposes and means of the intended processing.

Answer: D

Explanation:
According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:
* the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
* the purposes and means of the intended processing;
* the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;
* the contact details of the data protection officer, if any;
* the data protection impact assessment provided for in Article 35; and
* any other information requested by the supervisory authority.
Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing , or the designation of the data protection officer (D). References:
* Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.
* ICO guidance, which explains the process and requirements of the prior consultation.
* EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.


NEW QUESTION # 190
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?

  • A. AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.
  • B. It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.
  • C. The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.
  • D. The data storage period has to be revised, and a data processing agreement w*h AWS must be signed

Answer: D

Explanation:
According to the GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed1. Therefore, the data storage period of the backup system must be aligned with this principle and reviewed regularly. Moreover, the GDPR requires that when a controller (the company) uses a processor (AWS) to process personal data on its behalf, it must ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subjects2. This is usually done by signing a data processing agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3. AWS offers a GDPR-compliant Data Processing Addendum (DPA) that is incorporated into the AWS Service Terms and applies automatically to all customers who require it to comply with the GDPR4. Reference:
Free CIPP/E Study Guide, page 24, section 4.2.1
Free CIPP/E Study Guide, page 25, section 4.3
GDPR, Article 28
GDPR - Amazon Web Services (AWS), section "GDPR resources"


NEW QUESTION # 191
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

  • A. More information about Frank's data protection training.
  • B. More information about what students have been told and how the research will be used.
  • C. More information about the algorithm Frank used to mask student numbers.
  • D. More information about the extent of the information loss.

Answer: B


NEW QUESTION # 192
Which of the following entities would most likely be exempt from complying with the GDPR?

  • A. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.
  • B. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
  • C. A South American company that regularly collects European customers' personal data.
  • D. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.

Answer: D


NEW QUESTION # 193
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores.
Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

  • A. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
  • B. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
  • C. Encrypt the data in transit over the wireless Bluetooth connection.
  • D. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.

Answer: C

Explanation:
According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The GDPR also provides some examples of such measures, including the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In this scenario, the company is processing personal data of children, such as their voice, questions, preferences, and location, through the connected toys that use a wireless Bluetooth connection to communicate with smartphones, tablets, cloud servers, and other toys. This poses a high risk to the security of the data, as Bluetooth is a short-range wireless technology that can be easily intercepted, hacked, or compromised by malicious actors. Therefore, the company should encrypt the data in transit over the Bluetooth connection, to prevent unauthorized access, disclosure, or alteration of the data. Encryption is a process of transforming data into an unreadable form, using a secret key or algorithm, that can only be reversed by authorized parties who have the corresponding key or algorithm. Encryption can protect the data from being accessed or modified by anyone who does not have the key or algorithm, thus ensuring the confidentiality and integrity of the data.
The other options are incorrect because:
* B. Including dual-factor authentication before each use by a child in order to ensure a minimum amount of security is not a sufficient measure to protect the data in transit over the Bluetooth connection. Dual- factor authentication is a process of verifying the identity of a user by requiring two pieces of evidence, such as a password and a code sent to a phone or email. While this may enhance the security of the user' s account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, dual-factor authentication may not be suitable or convenient for children, who may not have access to a phone or email, or who may forget their passwords or codes.
* C. Including three-factor authentication before each use by a child in order to ensure the best level of security possible is not a necessary or proportionate measure to protect the data in transit over the Bluetooth connection. Three-factor authentication is a process of verifying the identity of a user by requiring three pieces of evidence, such as a password, a code sent to a phone or email, and a biometric feature, such as a fingerprint or a face scan. While this may provide a high level of security for the user' s account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Furthermore, three-factor authentication may not be appropriate or feasible for children, who may not have access to a phone or email, or who may not have reliable biometric features, or who may find the process too complex or cumbersome.
* D. Inserting contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union, is not a relevant measure to protect the data in transit over the Bluetooth connection. Contractual clauses are legal agreements that specify the obligations and responsibilities of the parties involved in a data transfer, such as the level of data protection, the rights of data subjects, and the remedies for breaches. While contractual clauses may be necessary to ensure the compliance of the data transfer to South Africa, which is a non-EU country that does not have an adequacy decision from the European Commission, they do not address the security of the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, contractual clauses are not a technical or organisational measure, but a legal measure, that falls under a different provision of the GDPR, namely Article 46.
References: Article 32 and Recitals (75), (76), (78), (83), and (85) of the GDPR, Security of processing, Encryption, Authentication, [Contractual clauses]


NEW QUESTION # 194
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric dat a. Which of the following is NOT one of these exceptions?

  • A. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
  • B. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
  • C. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  • D. The processing is done by a non-profit organization and the results are disclosed outside the organization.

Answer: D

Explanation:
Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as 'conditions for processing special category data'2. These are:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims and judicial acts
(g) Substantial public interest conditions
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions , (f) and (a) respectively. Therefore, the correct answer is A.
Reference:
4: Art. 9 GDPR Processing of special categories of personal data
6: What are the rules on special category data? | ICO


NEW QUESTION # 195
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

  • A. When providing the child with materials purely for educational use.
  • B. When the data is to be processed for market research.
  • C. When providing preventive or counselling services to the child.
  • D. When a legitimate business interest makes obtaining consent impractical.

Answer: C


NEW QUESTION # 196
What is the MAIN reason GDPR Article 4(22) establishes the concept of the "concerned supervisory authority"?

  • A. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
  • B. To give corporations a choice about who their supervisory authority will be.
  • C. To ensure that the interests of individuals residing outside the lead authority's jurisdiction are represented.
  • D. To encourage the consistency of local data processing activity.

Answer: C


NEW QUESTION # 197
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

  • A. Consider the impact of the profiling on the data subject's interest, rights and freedoms.
  • B. Demonstrate that the profiling is for the purposes of direct marketing.
  • C. Consider the importance of the profiling to their particular objective.
  • D. Carry out an exercise that weighs the interests of the controller and the basis for the data subject's objection.

Answer: B

Explanation:
According to the UK GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions1. The controller must stop the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims1. The WP 29 Guidelines on Automated individual decision-making and Profiling provide some guidance on how to assess the existence of such compelling legitimate grounds2. The controller needs to carry out an exercise that weighs the interests of the controller and the basis for the data subject's objection, consider the impact of the profiling on the data subject's interest, rights and freedoms, and consider the importance of the profiling to their particular objective2. However, the controller does not need to demonstrate that the profiling is for the purposes of direct marketing, as this is a separate ground for objection under Article 21(2) of the UK GDPR, which gives the data subject an absolute right to object to such processing13. Therefore, option C is the correct answer, as it is not required by the controller to demonstrate that it has compelling legitimate grounds for profiling. References: 132
https://gdpr.eu/article-21-right-to-object/ https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide- to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/


NEW QUESTION # 198
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

  • A. ProStorage can rely on its Binding Corporate Rules
  • B. HRYourWay was ultimately not selected
  • C. ProStorage will obtain consent for all transfers.
  • D. HRYourWay is not located in a third country.

Answer: C


NEW QUESTION # 199
What type of data lies beyond the scope of the General Data Protection Regulation?

  • A. Encrypted
  • B. Anonymized
  • C. Pseudonymized
  • D. Masked

Answer: B

Explanation:
Reference https://www.datainspektionen.se/other-lang/in-english/the-general-data-protection-regulation-gdpr/ the-purposes-and-scope-of-the-general-data-protection-regulation/


NEW QUESTION # 200
Company X has entrusted the processing of their payroll data to Provider Y.
Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

  • A. Company X
  • B. The supervisory authority
  • C. The public
  • D. Law enforcement

Answer: D


NEW QUESTION # 201
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

  • A. Protection of the interests of the data subjects.
  • B. Legitimate interest
  • C. Performance of a contact
  • D. Consent

Answer: B

Explanation:
According to the GDPR, legitimate interest is one of the possible legal bases for processing personal data, which means that the data controller has a valid reason to process the data that is not overridden by the interests or rights of the data subject1. The GDPR specifically mentions fraud prevention as a potential legitimate interest of the data controller, as it serves both the interests of the online shop and the data subjects who may be victims of fraud1. However, the data controller must conduct a balancing test to ensure that the legitimate interest is not outweighed by the potential harm or intrusion to the data subject's privacy1. The data controller must also provide clear and transparent information to the data subject about the processing of their data for fraud prevention purposes, and respect their right to object to such processing1.
The other options are incorrect because:
* A. Protection of the interests of the data subjects is not a legal basis for processing personal data, but rather a condition for processing special categories of personal data under Article 9 of the GDPR2.
Moreover, fraud prevention does not necessarily protect the interests of the data subjects, but rather the interests of the online shop and the general public.
* B. Performance of a contract is a legal basis for processing personal data that is necessary for the execution or fulfilment of a contract between the data controller and the data subject2. However, fraud prevention is not strictly necessary for the performance of a contract, as it is not directly related to the delivery of goods or services that the data subject has purchased from the online shop.
* D. Consent is a legal basis for processing personal data that requires the data subject to give their informed, specific, and freely given agreement to the processing of their data for one or more purposes2. However, consent is not the most appropriate legal basis for fraud prevention, as it may not be freely given by the data subject, who may feel pressured to agree to the processing of their data in order to complete their purchase. Moreover, consent may not be reliable or effective for fraud prevention, as it can be withdrawn by the data subject at any time, or may be given by a fraudster who is not the legitimate owner of the data.
References: 2 Article 6 and 9 of the GDPR1 Legitimate interests | ICO1.


NEW QUESTION # 202
Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible"?

  • A. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.
  • B. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
  • C. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.
  • D. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.

Answer: D


NEW QUESTION # 203
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Which statement accurately summarizes Bedrock's obligation in regard to Louis's data portability request?

  • A. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.
  • B. Bedrock does not have a duty to transfer Louis's data to Zantrum if doing so is legitimately not technically feasible.
  • C. Bedrock does not have to transfer Louis's data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
  • D. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Answer: C


NEW QUESTION # 204
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

  • A. A company wants to use location data to track delivery trucks in order to make the routes more efficient.
  • B. A company wants to use location data to infer information on a person's clothes purchasing habits.
  • C. A company wants to combine location data with other data in order to offer more personalized service for the customer.
  • D. A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.

Answer: D

Explanation:
Reference http://webcache.googleusercontent.com/search?q=cache:aQkU17eX9sQJ:https:// www.shlegal.com/insights/article-29-data-protection-working-party-gdpr-guidelines-on-data-protection-impact- assessments&client=firefox-b-e&hl=en&gl=pk&strip=1&vwsrc=0


NEW QUESTION # 205
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  • A. Vetting companies' measures with the appropriate supervisory authority.
  • B. Avoiding the use of another company's data to improve their own services.
  • C. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • D. Requesting advice and technical support from Company A's IT team.

Answer: C


NEW QUESTION # 206
Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?

  • A. File appeals of infringement judgments with more than one EU institution simultaneously.
  • B. Select third-party processors on the basis of cost rather than quality of privacy protection.
  • C. Choose the data protection officer that is most sympathetic to their business concerns.
  • D. Designate their main establishment in member state with the most flexible practices.

Answer: D

Explanation:
The GDPR aims to harmonize the data protection rules across the EU and to ensure consistent and effective enforcement of those rules. However, the GDPR also recognizes that there may be some differences in the interpretation and application of the law among the member states, depending on their national legislation, culture and practices. Therefore, the GDPR introduces the concept of the "main establishment" of a controller or processor, which is the place where the decisions on the purposes and means of the processing of personal data are taken in theEU1. The main establishment determines which national supervisory authority will act as the lead authority for the cross-border processing activities of that controller or processor, and which national law will apply in case of a dispute or a complaint2. The Article 29 Working Party, which is an advisory body composed of representatives of the national supervisory authorities,the European Data Protection Supervisor and the European Commission, has issued guidelines on how to identify the main establishment of a controller or processor under the GDPR3. The guidelines emphasize that the main establishment must reflect the reality of the processing activities and the effective and real exercise of management power over those activities. The guidelines also warn against the practice of "forum shopping", which occurs when a controller or processor designates its main establishment in a member state with the most flexible or lenient data protection regime, regardless of the actual location of the decision-making or the data processing. The guidelines state that such a practice is forbidden under the GDPR, and that the supervisory authorities will closely monitor and verify the criteria used by the controllers or processors to determine their main establishment. If the supervisory authorities find that the main establishment does not correspond to the factual situation, they may challenge the designation and apply the relevant corrective measures4. References: 1 Art. 4 (16) GDPR - Definitions - General Data Protection Regulation (GDPR)
2 Art. 56-58 GDPR - Cooperation and consistency - General Data Protection Regulation (GDPR)3 Guidelines
3/2018 on the territorial scope of the GDPR (Article 3) - European Data Protection Board4 Ibid, p. 14-15.
Reference: https://gdprinformer.com/gdpr-articles/forum-shopping-illegal-gdpr


NEW QUESTION # 207
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

  • A. Document the loss of availability to demonstrate accountability
  • B. Conduct a thorough audit of all security systems
  • C. Notify the supervisory authority about the loss of availability
  • D. Notify affected individuals that their data was unavailable for a period of time.

Answer: C

Explanation:
Reference https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwihmsidxtTqAhXvQUEAHXRaAdYQFjABegQIARAB& url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm%3Fdoc_id% 3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (5)


NEW QUESTION # 208
......


IAPP CIPP-E certification is a valuable credential for anyone who is interested in working in the field of information privacy or who wants to demonstrate their knowledge and expertise in this area. By passing the exam, candidates can demonstrate their commitment to protecting personal data and upholding the principles of privacy and data protection that are enshrined in the GDPR.

 

Updated CIPP-E Dumps Questions For IAPP Exam: https://realexamcollection.examslabs.com/IAPP/Certified-Information-Privacy-Professional/best-CIPP-E-exam-dumps.html

Related Articles

more
IAPP CIPP-E Certification Practice Exam