Month End Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: geek65

CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Questions 4

If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

Options:

A.

Background checks on employees could be performed only under prior notice to all employees.

B.

Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.

C.

Background checks on European employees will stem from data protection and employment law, which can vary between member states.

D.

Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.

Buy Now
Questions 5

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

Options:

A.

Binding Corporate Rules are especially recommended for small and medium companies.

B.

The data exporter does not need to be located in the EU for the standard Contractual Clauses.

C.

Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.

D.

The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Buy Now
Questions 6

Which of the following was the first legally binding international instrument in the area of data protection?

Options:

A.

Convention 108.

B.

General Data Protection Regulation.

C.

Universal Declaration of Human Rights.

D.

EU Directive on Privacy and Electronic Communications.

Buy Now
Questions 7

The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

Options:

A.

Choose the data protection officer that is most sympathetic to their business concerns.

B.

Designate their main establishment in member state with the most flexible practices.

C.

File appeals of infringement judgments with more than one EU institution simultaneously.

D.

Select third-party processors on the basis of cost rather than quality of privacy protection.

Buy Now
Questions 8

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

Options:

A.

Both govern international transfers of personal data

B.

Both govern the manual processing of personal data

C.

Both only apply to European Union countries

D.

Both require notification of processing activities to a supervisory authority

Buy Now
Questions 9

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia’s complaint?

Options:

A.

T-Craze has a French affiliate.

B.

The French affiliate procured the services of Right Target.

C.

T-Craze conducts its marketing and sales activities in France.

D.

The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.

Buy Now
Questions 10

A U.S. company’s website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?

Options:

A.

The widgets are offered in EU and priced in euro.

B.

The website is in English and French, and is accessible in France.

C.

An affiliate office is located in France but the processing is in the U.S.

D.

The website places cookies to monitor the EU website user behavior.

Buy Now
Questions 11

Which of the following regulates the use of electronic communications services within the European Union?

Options:

A.

Regulator (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015.

B.

Regulation (EU) 2017/1953 of the European Parliament and of the Council of 25 October 2017.

C.

Directive 2002/58'EC of the European Parliament and of the Council of 12 July 2002.

D.

Directive (EU) 2019.789 of the European Parliament and of the Council of 17 April 2019.

Buy Now
Questions 12

How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

Options:

A.

App developers will expand the amount of data necessary to collect for an app’s functionality.

B.

Users will be given granular types of consent for particular types of processing.

C.

App developers’ responsibilities as data controllers will increase.

D.

Users will see fewer advertisements when using apps.

Buy Now
Questions 13

Which of the following would require designating a data protection officer?

Options:

A.

Processing is carried out by an organization employing 250 persons or more.

B.

Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.

C.

The core activities of the controller or processor consist of processing operations of financial information or information relating to children.

D.

The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Buy Now
Questions 14

What term BEST describes the European model for data protection?

Options:

A.

Sectoral

B.

Self-regulatory

C.

Market-based

D.

Comprehensive

Buy Now
Questions 15

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

Options:

A.

The data is sensitive.

B.

The data is uncategorized.

C.

The data is being used for a new purpose.

D.

The data is being processed via a new means.

Buy Now
Questions 16

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He

suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?

Options:

A.

Its plan would be in the context of the establishment of a controller in the Union.

B.

It would be offering goods or services to data subjects in the Union.

C.

It is engaging in commercial activities conducted in the Union.

D.

It is monitoring the behavior of data subjects in the Union.

Buy Now
Questions 17

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

Options:

A.

The Court of Justice of the European Union.

B.

The European Data Protection Board.

C.

The Data Protection Authority.

D.

The European Commission.

Buy Now
Questions 18

According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?

Options:

A.

Data ownership allocation.

B.

Access control management.

C.

Frequent pseudonymization key rotation.

D.

Error propagation avoidance along the processing chain.

Buy Now
Questions 19

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

What is potentially wrong with the backup system operated in the AWS cloud?

Options:

A.

The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.

B.

It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.

C.

The data storage period has to be revised, and a data processing agreement w*h AWS must be signed

D.

AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.

Buy Now
Questions 20

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

Options:

A.

Because of the misrepresentation of personal data as an endorsement.

B.

Because of the juxtaposition of the quotation with others’ quotations.

C.

Because of the use of personal data outside of the social networking service (SNS).

D.

Because of the misapplication of the household exception in relation to a social networking service (SNS).

Buy Now
Questions 21

In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

Options:

A.

When creating an untargeted pop-up ad on a website.

B.

When calling a potential customer to notify her of an upcoming product sale.

C.

When emailing a customer to announce that his recent order should arrive earlier than expected.

D.

When paying a search engine company to give prominence to certain products and services within specific search results.

Buy Now
Questions 22

Which of the following is one of the supervisory authority’s investigative powers?

Options:

A.

To notify the controller or the processor of an alleged infringement of the GDPR.

B.

To require that controllers or processors adopt approved data protection certification mechanisms.

C.

To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.

D.

To require data controllers to provide them with written notification of all new processing activities.

Buy Now
Questions 23

A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property

Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?

Options:

A.

The surveillance camera system can potentially capture biometric information of the homeowner's family, which would be considered a processing of special categories of personal data.

B.

The homeowner has not specified which security measures ore in place as part of the surveillance camera system

C.

The GDPR specifically excludes surveillance camera images from the household exemption

D.

The surveillance camera system can potentially film individuals who enter its filming perimeter

Buy Now
Questions 24

Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b),

what is the impact of a member state’s interpretation of the word “incompatible”?

Options:

A.

It dictates the level of security a processor must follow when using and storing personal data for two different purposes.

B.

It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.

C.

It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

D.

It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Buy Now
Questions 25

SCENARIO

Please use the following to answer the next question:

WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:

“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”

“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”

“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”

What must the contract between WonderKids and the hosting service provider contain?

Options:

A.

The requirement to implement technical and organizational measures to protect the data.

B.

Controller-to-controller model contract clauses.

C.

Audit rights for the data subjects.

D.

A non-disclosure agreement.

Buy Now
Questions 26

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.

How should the company respond to Jack's request to be forgotten?

Options:

A.

The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.

B.

The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.

C.

The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.

D.

The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.

Buy Now
Questions 27

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

What is the nature of BHealthy and Natural Insight’s relationship?

Options:

A.

Natural Insight is BHealthy’s processor because the companies entered into data processing terms.

B.

Natural Insight is BHealthy’s processor because BHealthy is sharing its customer information with Natural Insight.

C.

Natural Insight is the controller because it determines the security measures to implement to protect data it processes; BHealthy is a co-controller because it engaged Natural Insight to determine pricing for the new sunscreens.

D.

Natural Insight is a controller because it is separately determine the purpose of processing when it uses BHealthy’s customer information to improve its machine learning algorithms.

Buy Now
Questions 28

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT Department violated Article 5 of the GDPR because the company failed to first do what?

Options:

A.

Send out consent forms to all of its employees.

B.

Minimize the amount of data collected for the lawsuit.

C.

Inform all of its employees about the lawsuit.

D.

Encrypt the data from all of its employees.

Buy Now
Questions 29

Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

Options:

A.

Privacy dashboard notice

B.

Visualization notice.

C.

Just-in-lime notice.

D.

Layered notice.

Buy Now
Questions 30

Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

Options:

A.

Personal data revealing ethnic origin.

B.

Personal data revealing genetic data.

C.

Personal data revealing financial data.

D.

Personal data revealing trade union membership.

Buy Now
Questions 31

Which area of privacy is a lead supervisory authority’s (LSA) MAIN concern?

Options:

A.

Data subject rights

B.

Data access disputes

C.

Cross-border processing

D.

Special categories of data

Buy Now
Questions 32

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Options:

A.

When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.

B.

When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

C.

When the controller is required to have a Data Protection Officer.

D.

When personal data is being transferred outside of the EEA.

Buy Now
Questions 33

Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

Options:

A.

Greece

B.

Norway

C.

Australia

D.

Switzerland

Buy Now
Questions 34

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

Options:

A.

The controller will be liable to pay an administrative fine

B.

The processor will be liable to pay compensation to affected data subjects

C.

The processor will be considered to be a controller in respect of the processing concerned

D.

The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Buy Now
Questions 35

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions EXCEPT?

Options:

A.

Processing the personal data upon documented instructions regarding data transfers outside of the EEA.

B.

Notification regarding third party requests for access to Liem and EcoMick’s personal data.

C.

Assistance to Liem and EcoMick in their compliance with data protection impact assessments.

D.

Returning or deleting personal data after the end of the provision of the services.

Buy Now
Questions 36

What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?

Options:

A.

IT did not account for the rapid growth of the Internet

B.

It did not include protections for sensitive personal data

C.

It was implemented in a fragmented manner by a small number of states.

D.

Its penalties for violations of data protection rights were widely viewed as r sufficient.

Buy Now
Questions 37

What is the main task of the European Data Protection Board?

Options:

A.

To assess adequacy of data protection in third countries

B.

To ensure consistent application of the GDPR.

C.

To proactively prevent disputes between national supervisory authorities.

D.

To publish guidelines tor data subjects on how to property enforce their rights

Buy Now
Exam Code: CIPP-E
Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
Last Update: Mar 20, 2023
Questions: 250
CIPP-E pdf

CIPP-E PDF

$28  $80
CIPP-E Engine

CIPP-E Testing Engine

$33.25  $95
CIPP-E PDF + Engine

CIPP-E PDF + Testing Engine

$45.5  $130