Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:
Question # 9

If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?

A.

Decision 2001/497/EC (EU controller to non-EU or EEA controller).

B.

Decision 2004/915/EC (EU controller to non-EU or EEA controller).

C.

Decision 2007/72/EC (EU processor to non-EU or EEA controller).

D.

Decision 2010/87/EU (Non-EU or EEA processor from EU controller).

Full Access
Question # 10

With the issue of consent, the GDPR allows member states some choice regarding what?

A.

The mechanisms through which consent may be communicated

B.

The circumstances in which silence or inactivity may constitute consent

C.

The age at which children must be required to obtain parental consent

D.

The timeframe in which data subjects are allowed to withdraw their consent

Full Access
Question # 11

SCENARIO

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Based on the GDPR’s position on the use of personal data for direct marketing purposes, which of the following is true about Louis’s rights as a data subject?

A.

Louis does not have the right to object to the use of his data because he previously consented to it.

B.

Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

C.

Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose

of exercising a legal claim.

D.

Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.

Full Access
Question # 12

A company would like to implement CCTV monitoring in its offices for safety and security purposes. Which of the following would be the best legal basis for the company to rely upon?

A.

Public interest.

B.

Individual consent

C.

Legitimate interest.

D.

Exercise of pubic authority.

Full Access
Question # 13

The EDPB's Guidelines 8/2020 on the targeting of social media users stipulates that in order to rely on legitimate interest as a legal basis to process personal data, three tests must be passed. Which of the following is NOT one of the three tests?

A.

Purpose test.

B.

Necessity test.

C.

Balancing test.

D.

Adequacy test.

Full Access
Question # 14

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A.

Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B.

Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR's enforcement regime.

C.

Every supervisory authority of the EU member states where the controller is offering goods or services.

D.

Every supervisory authority for which affected data subjects reside in their EU member state.

Full Access
Question # 15

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

A.

Incidents of personal data breaches, whether disclosed or not.

B.

Data inventory or data mapping exercises that have been conducted.

C.

Categories of recipients to whom the personal data have been disclosed.

D.

Retention periods for erasure and deletion of categories of personal data.

Full Access
Question # 16

A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

A.

If obtaining consent is deemed to involve disproportionate effort.

B.

If obtaining consent is deemed voluntary by local legislation.

C.

If the company limits the footage to data subjects solely of legal age.

D.

If the company’s status as a documentary provider allows it to claim legitimate interest.

Full Access
Go to page: