IAPP CIPP-E Exam Dumps

SCENARIOPlease use the following to answer the next question:Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer thatemploys approximately 650 people at its headquarters based in Dublin, Ireland. Martin istheir recently appointed data protection officer, who oversees the company’s compliancewith the General Data Protection Regulation (GDPR) and other privacy legislation.The company offers both male and female clothing lines across all age demographics,including children. In doing so, the company processes large amounts of information aboutsuch customers, including preferences and sensitive financial information such as creditcard and bank account numbers.In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the companyis launching a new mobile app and loyalty scheme that puts significant emphasis onprofiling the company’s customers by analyzing their purchases. Martin tells the CEO that:(a) the potential risks of such activities means that Zandelay needs to carry out a dataprotection impact assessment to assess this new venture and its privacy implications; and(b) where the results of this assessment indicate a high risk in the absence of appropriateprotection measures. Zandelay may have to undertake a prior consultation with the IrishData Protection Commissioner before implementing the app and loyalty scheme.Jerry tells Martin that he is not happy about the prospect of having to directly engage with asupervisory authority and having to disclose details of Zandelay’s business plan andassociated processing activities.What must Zandelay provide to the supervisory authority during the prior consultation?

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if? 

An organisation receives a request multiple times from a data subject seeking to exercisehis rights with respect to his own personal data. Under what condition can the organisationcharge the data subject for processing the request?

SCENARIOPlease use the following to answer the next question:BHealthy, a company based in Italy, is ready to launch a new line of natural products, witha focus on sunscreen. The last step prior to product launch is for BHealthy to conductresearch to decide how extensively to market its new line of sunscreens across Europe. Todo so, BHealthy teamed up with Natural Insight, a company specializing in determiningpricing for natural products. BHealthy decided to share its existing customer information –name, location, and prior purchase history – with Natural Insight. Natural Insight intends touse this information to train its algorithm to help determine the price point at whichBHealthy can sell its new sunscreens.Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s securitypractices and concluded that the company has sufficient security measures to protect thecontact information. Additionally, BHealthy’s data processing contractual terms with NaturalInsight require continued implementation of technical and organization measures. Alsoindicated in the contract are restrictions on use of the data provided by BHealthy for anypurpose beyond provision of the services, which include use of the data for continuedimprovement of Natural Insight’s machine learning algorithms.What is the nature of BHealthy and Natural Insight’s relationship?

SCENARIOPlease use the following to answer the next question:Anna and Frank both work at Granchester University. Anna is a lawyer responsible for dataprotection, while Frank is a lecturer in the engineering department. The Universitymaintains a number of types of records:Student records, including names, student numbers, home addresses, preuniversity information, university attendance and performance records, details ofspecial educational needs and financial information.Staff records, including autobiographical materials (such as curricula, professionalcontact files, student evaluations and other relevant teaching files).Alumni records, including birthplaces, years of birth, dates of matriculation andconferrals of degrees. These records are available to former students afterregistering through Granchester’s Alumni portal. Department for Educationrecords, showing how certain demographic groups (such as first-generationstudents) could be expected, on average, to progress. These records do notcontain names or identification numbers.Under their security policy, the University encrypts all of its personal data recordsin transit and at rest.In order to improve his teaching, Frank wants to investigate how his engineering studentsperform in relational to Department for Education expectations. He has attended one ofAnna’s data protection training courses and knows that he should use no more personaldata than necessary to accomplish his goal. He creates aprogram that will only export some student data: previous schools attended, gradesoriginally obtained, grades currently obtained and first time university attended. He wants tokeep the records at the individual student level. Mindful of Anna’s training, Frank runs thestudent numbers through an algorithm to transform them into different reference numbers.He uses the same algorithm on each occasion so that he can update each record overtime.One of Anna’s tasks is to complete the record of processing activities, as required by theGDPR. After receiving her email reminder, as required by the GDPR. After receiving heremail reminder, Frank informs Anna about his performance database.Ann explains to Frank that, as well as minimizing personal data, the University has to checkthat this new use of existing data is permissible. She also suspects that, under the GDPR,a risk analysis may have to be carried out before the data processing can take place. Annaarranges to discuss this further with Frank after she hasdone some additional research.Frank wants to be able to work on his analysis in his spare time, so he transfers it to hishome laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into theUniversity he loses it on the train. Frank has to see Anna that day to discuss compatibleprocessing. He knows that he needs to report security incidents, so he decides to tell Annaabout his lost laptop at the same time.Anna will find that a risk analysis is NOT necessary in this situation as long as?

Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search enginescases, all of the following would be valid grounds for data subject delisting requestsEXCEPT?

According to the European Data Protection Board, data subjects should be aware of anyvideo surveillance in operation. How should a retail shop operator ensure that data subjectsreceive at information required for such a purpose under EU data protection law?

Under which of the following conditions does the General Data Protection Regulation NOTapply to the processing of personal data?

Article 5(1)(b) of the GDPR states that personal data must be “collected for specified,explicit and legitimate purposes and not further processed in a way incompatible with thosepurposes.” Based on Article 5(1)(b),what is the impact of a member state’s interpretation of the word “incompatible”?

SCENARIOPlease use the following to answer the next question:The fitness company Vigotron has recently developed a new app called M-Health, which itwants to market on its website as a free download. Vigotron’s marketing manager asks hisassistant Emily to create a webpage that describes the app and specifies the terms of use.Emily, who is new at Vigotron, is excited about this task. At her previous job she took adata protection class, and though the details are a little hazy, she recognizes that Vigotronis going to need to obtain user consent for use of the app in some cases. Emily sketchesout the following draft, trying to cover as much as possible before sending it to Vigotron’slegal department.Registration FormVigotron’s new M-Health app makes it easy for you to monitor a variety of health-relatedactivities, including diet, exercise, and sleep patterns. M-Health relies on your smartphonesettings (along with other third-party apps you may already have) to collect data about all ofthese important lifestyle elements, and provide the information necessary for you to enrichyour quality of life. (Please click here to read a full description of the services that M-Healthprovides.)Vigotron values your privacy. The M-Heaith app allows you to decide which information isstored in it, and which apps can access your data. When your device is locked with apasscode, all of your health and fitness data is encrypted with your passcode. You canback up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read moreabout Stratculous here.)Vigotron will never trade, rent or sell personal information gathered from the M-Health app.Furthermore, we will not provide a customer’s name, email address or any otherinformation gathered from the app to any third- party without a customer’s consent, unlessordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights orprotect its business or property.We are happy to offer the M-Health app free of charge. If you want to download and use it,we ask that youfirst complete this registration form. (Please note that use of the M-Health app is restrictedto adults aged 16 or older, unless parental consent has been given to minors intending touse it.)First name:Surname:Year of birth:Email:Physical Address (optional*):Health status:*If you are interested in receiving newsletters about our products and services that we thinkmay be of interest to you, please include your physical address. If you decide later that youdo not wish to receive these newsletters, you can unsubscribe by sending an email [email protected] or send a letter with your request to the address listed at thebottom of this page.Terms and Conditions1.Jurisdiction. […]2.Applicable law. […]3.Limitation of liability. […]ConsentBy completing this registration form, you attest that you are at least 16 years of age, andthat you consent to the processing of your personal data by Vigotron for the purpose ofusing the M-Health app. Although you are entitled to opt out of any advertising ormarketing, you agree that Vigotron may contact you or provide you with any requirednotices, agreements, or other information concerning the services by email or otherelectronic means. You also agree that the Company may send automated emails withalerts regarding any problems with the M-Health app that may affect your well being.Emily sends the draft to Sam for review. Which of the following is Sam most likely to pointout as the biggest problem with Emily’s consent provision?

With respect to international transfers of personal data, the European Data ProtectionBoard (EDPB) confirmed that derogations may be relied upon under what condition?

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacydetermination. What is the reason for this?

Company X has entrusted the processing of their payroll data to Provider Y. Provider Ystores this encrypted data on its server. The IT department of Provider Y finds out thatsomeone managed to hack into the system and take a copy of the data from its server. Inthis scenario, whom does Provider Y have the obligation to notify?

SCENARIOPlease use the following to answer the next question:Brady is a computer programmer based in New Zealand who has been running his ownbusiness for two years. Brady’s business provides a low-cost suite of services to customersthroughout the European Economic Area (EEA). The services are targeted towards newand aspiring small business owners. Brady’s company, called Brady Box, provides webpage design services, a Social Networking Service (SNS) and consulting services that helppeople manage their own online stores.Unfortunately, Brady has been receiving some complaints. A customer named Annarecently uploaded her plans for a new product onto Brady Box’s chat area, which is open topublic viewing. Although she realized her mistake two weeks later and removed thedocument, Anna is holding Brady Box responsible for not noticing the error through regularmonitoring of the website. Brady believes he should not be held liable.Another customer, Felipe, was alarmed to discover that his personal information wastransferred to a third- party contractor called Hermes Designs and worries that sensitiveinformation regarding his business plans may be misused. Brady does not believe heviolated European privacy rules. He provides a privacy notice to all of his customersexplicitly stating that personal data may be transferred to specific third parties in fulfillmentof a requested service. Felipe says he read the privacy notice but that it was long andcomplicatedBrady continues to insist that Felipe has no need to be concerned, as he can personallyvouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiativeto create sample customized banner advertisements for customers like Felipe. Brady ishappy to provide a link to the example banner ads, now posted on the Hermes Designswebpage. Hermes Designs plans on following up with direct marketing to these customers.Brady was surprised when another customer, Serge, expressed his dismay that a quotationby him is being used within a graphic collage on Brady Box’s home webpage. Thequotation is attributed to Serge by first and last name. Brady, however, was not worriedabout any sort of litigation. He wrote back to Serge to let him know that he found thequotation within Brady Box’s Social Networking Service (SNS), as Serge himself hadposted the quotation. In his response, Brady did offer to remove the quotation as acourtesy.Despite some customer complaints, Brady’s business is flourishing. He even supplementshis income through online behavioral advertising (OBA) via a third-party ad network withwhom he has set clearly defined roles. Brady is pleased that, although some customers arenot explicitly aware of the OBA, the advertisements contain useful products and services.Under the General Data Protection Regulation (GDPR), what is the most likely reasonSerge may have grounds to object to the use of his quotation?

According to the GDPR, how is pseudonymous personal data defined? 

A German data subject was the victim of an embarrassing prank 20 years ago. Anewspaper website published an article about the prank at the time, and the article is stillavailable on the newspaper’s website. Unfortunately, the prank is the top search resultwhen a user searches on the victim’s name. The data subject requests that SearchCodelist this result. SearchCo agrees, and instructs its technology team to avoid scanning orindexing the article. What else must SearchCo do?

Which statement provides an accurate description of a directive? 

When assessing the level of risk created by a data breach, which of the following wouldNOT have to be taken into consideration?

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She hasrecommended that the company encrypt all personal data at rest. Which GDPR principle isshe following?

SCENARIOPlease use the following to answer the next question:Gentle Hedgehog Inc. is a privately owned website design agency incorporated inItaly. The company has numerous remote workers in different EU countries. Recently,the management of Gentle Hedgehog noticed a decrease in productivity of their salesteam, especially among remote workers. As a result, the company plans to implementa robust but privacy-friendly remote surveillance system to prevent absenteeism,reward top performers, and ensure the best quality of customer service when salespeople are interacting with customers.Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employeesurveillance software whose European headquarters is in Germany. Sauron Eye'ssoftware provides powerful remote-monitoring capabilities, including 24/7 access tocomputer cameras and microphones, screen captures, emails, website history, andkeystrokes. Any device can be remotely monitored from a central server that issecurely installed at Gentle Hedgehog headquarters. The monitoring is invisible bydefault; however, a so-called Transparent Mode, which regularly and conspicuouslynotifies all users about the monitoring and its precise scope, also exists. Additionally,the monitored employees are required to use a built-in verification technologyinvolving facial recognition each time they log in.After fixing the privacy problems, how long may Gentle Hedgehog store themonitoring data, assuming that no valid data erasure request is received?

An organization conducts body temperature checks as a part of COVID-19 monitoring.Body temperature is measured manually and is not followed by registration, documentationor other processing of an individual’s personal data.Which of the following best explain why this practice would NOT be subject to the GDPR?

If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia,but the data processing activities are carried out by the appointed processor in Spain, theGDPR will apply to the processing of the personal data so long as?

SCENARIOPlease use the following to answer the next question:Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based companythat allows anyone to buy and sell cryptocurrencies via its online platform. The companystores and processes the personal data of its customers in a dedicated data center locatedin Malta |EU).People wishing to trade cryptocurrencies are required to open an online account on theplatform. They then must successfully pass a KYC due diligence procedure aimed atpreventing money laundering and ensuring compliance with applicable financialregulations.The non-European customers are also required to waive all their GDPR rights by reading adisclaimer written in bold and belong a checkbox on a separate page in order to get theiraccount approved on the platform.The customers must likewise accept the terms of service of the platform. The terms ofservice also include a privacy policy section, saying, among other things, that if aWhich of the following must be a component of the anti-money-laundering data-sharingpractice of the platform?

Through a combination of hardware failure and human error, the decryption key for abank’s customer account transaction database has been lost. An investigation hasdetermined that this was not the result of hacking or malfeasance, simply an unfortunatecombination of circumstances. Which of the following accurately indicates the nature of thisincident?

Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profitorganizations in a privacy group litigation or class action. These organizations arecommonly known as?