CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:

<< First
Prev
2
3
4
5
6
7
8
9
10
11
Next
Last >>

Question # 81

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the companyâ€™s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his fatherâ€™s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the companyâ€™s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customersâ€™ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customerâ€™s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friendâ€™s daughter, Alice, who just graduated from law school in the U.S., to be the companyâ€™s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the companyâ€™s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the companyâ€™s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyoneâ€™s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?

An information security risk by copying the data into a new database.

A potential legal liability and financial exposure from its customers.

A significant risk to the customersâ€™ fundamental rights and freedoms.

A significant risk due to the lack of an informed consent mechanism.

Full Access

Answer:

Explanation:

Â According to the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject1.Â The GDPR also recognizes that the processing of special categories of personal data, such as data revealing political opinions, religious or philosophical beliefs, or data concerning health or sex life, may entail a high risk to the rights and freedoms of natural persons2.Â Therefore, such data can only be processed under certain conditions, such as when the data subject has given explicit consent, or when the processing is necessary for reasons of substantial public interest3.

In this scenario, Ben had the company collect additional data from its customers, including their philosophical beliefs, political opinions and marital status, without a valid legal basis or a legitimate purpose. He also copied the data of the single customers onto a separate database for his own online dating website, without informing them or obtaining their consent. This processing of special categories of personal data created a significant risk to the customersâ€™ fundamental rights and freedoms, such as their right to privacy, dignity, non-discrimination and self-determination. The customers may also suffer from identity theft, fraud, harassment, or unwanted marketing as a result of the unauthorized use of their data. Therefore, Benâ€™s actions constituted the most serious violation of the GDPR in this scenario.

References:

Art. 5 GDPR â€“ Principles relating to processing of personal data

Recital 51 GDPR â€“ Protecting sensitive personal data

Art. 9 GDPR â€“ Processing of special categories of personal data

[Guidelines 3/2019 on processing of personal data through video devices]

I hope this helps you understand the GDPR and data processing better. If you have any other questions, please feel free to ask me. ðŸ˜Š

Question # 82

SCENARIO

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based

company that allows anyone to buy and sell cryptocurrencies via its online platform.

The company stores and processes the personal data of its customers in a

dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on

the platform. They then must successfully pass a Know Your Customer (KYC) due

diligence procedure aimed at preventing money laundering and ensuring

compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by

reading a disclaimer written in bold and ticking a checkbox on a separate page in

order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms

of service also include a privacy policy section, saying, among other things, that if a

customer fails the KYC process, its KYC data will be automatically shared with the

national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including

whether they have any criminal convictions, whether they use recreational drugs or

have problems with alcohol, and whether they have a terminal illness. While

providing this data, customers see a conspicuous message saying that this data is

meant only to prevent fraud and account takeover, and will be never shared with

private third parties.

The company regularly conducts external security testing of its online systems by

independent cybersecurity companies from the EU. At the final stage of testing, the

company provides cybersecurity assessors with access to its central database to

review security permissions, roles and policies. Personal data in the database is

encrypted; however, cybersecurity assessors usually have access to the decryption

keys obtained while running initial security testing. The assessors must strictly

follow the guidelines imposed by the company during the entire testing and auditing

process.

All customer data, including trading activities and all internal communications with

technical support, are permanently stored in a secured AWS S3 Glacier cloud data

storage, located in Ireland, for backup and compliance purposes. The data is

securely transferred to the cloud and then is properly encrypted while at rest by

using AWS-native encryption mechanisms. These mechanisms give AWS the

necessary technical means to encrypt and decrypt the data when such is required

by the company. There is no data processing agreement between AWS and the

company.

Should Jane modify the required GDPR rights waiver for non-European residents?

Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.

Yes, this clause must be entirely removed as all customers,

regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.

No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.

No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.

Full Access

Question # 83

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the companyâ€™s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.â€™s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories â€“ age, income, ethnicity â€“ that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new websiteâ€™s traffic, in order to get a better understanding of how customers are using it. He explains his plan

to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the websiteâ€™s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.â€™s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techivaâ€™s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the companyâ€™s system of access control must be reconsidered.

With regard to TripBliss Inc.â€™s use of website cookies, which of the following statements is correct?

Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.

Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.

Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.

Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.

Full Access

Answer:

Explanation:

According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the userâ€™s device requires the userâ€™s consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the userâ€™s browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.

Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.

Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.

Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.

References:

ePrivacy Directive, Article 5(3)

GDPR, Article 4(11), Article 7, Article 9

CIPP/E Study Guide, Chapter 5, Section 5.2.2

Question # 84

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

The terms of service shall also enumerate all applicable anti-money laundering few.

Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

Full Access

Question # 85

Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?

A natural person in the course of a large-scale but purely personal or household activity.

A natural person processing data foe a small-scale, purely personal or household activity.

A natural person in the course of processing purely personal or household data on behalf of a spouse who is beyond the age of majority.

A natural person in the course of activity conducted purely tor a personally-owned sole proprietorship.

Full Access

Question # 86

What is the main purpose of the EU Data Act?

To enable the processing and transfer of non-personal data within the EU.

To allow users of connected devices to access data generated by their use.

To facilitate the voluntary sharing of data between individuals and businesses.

To regulate individuals' privacy rights and the processing of their personal data.

Full Access

Question # 87

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's

medical information to the hospital?

Ruth's implied consent.

Protecting the vital interest of Ruth.

Performance of a contract with Ruth.

Protecting against legal liability from Ruth.

Full Access

Question # 88

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Crazeâ€™s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

Which of the following is T-Crazeâ€™s lead supervisory authority?

Germany, because that is where T-Craze is headquartered.

France, because that is where T-Craze conducts processing of personal information.

Spain, because that is T-Crazeâ€™s primary market based on its marketing campaigns.

T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.

Full Access