CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
10
Next
Last >>

Question # 17

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR's enforcement regime.

Every supervisory authority of the EU member states where the controller is offering goods or services.

Every supervisory authority for which affected data subjects reside in their EU member state.

Full Access

Answer:

Explanation:

The General Data Protection Regulation (GDPR) introduces a duty for controllers to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR also requires controllers to communicate the personal data breach to the affected data subjects without undue delay, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR provides that where a controller or a processor is not established in the EU, but is subject to the GDPR, the controller or the processor shall designate in writing a representative in the EU. The representative shall be established in one of the member states where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. The representative shall act on behalf of the controller or the processor and may be addressed by any supervisory authority or data subject on any issues related to the processing of personal data under the GDPR.

The GDPR also establishes a one-stop shop mechanism, which aims to ensure the consistent and effective application of the GDPR across the EU. The one-stop shop mechanism allows a controller or a processor with establishments in several member states to have a single supervisory authority as its interlocutor, which is the supervisory authority of the main establishment or of the single establishment of the controller or processor. The one-stop shop mechanism also enables a controller or a processor that is not established in the EU, but is subject to the GDPR, to deal with a single lead supervisory authority, which is the supervisory authority of the member state where the representative of the controller or processor is established.

Based on the GDPR and the guidelines of the European Data Protection Board (EDPB), if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, the controller must notify the supervisory authority of the EU member state in which the controllerâ€™s EU representative (pursuant to Article 27) is established. This is the only supervisory authority that the controller must notify, as the controller benefits from the one-stop shop mechanism and has a single lead supervisory authority. The controller does not need to notify every supervisory authority of the EU member states where the controller is offering goods or services or where the affected data subjects reside, as this would be contrary to the principle of consistency and the aim of simplification of the one-stop shop mechanism.

References:

GDPR, Articles 3, 4, 27, 28, 29, 33, 34, 51, 55, 56, 57, 58, 60, 61, 62, 63, 64, 65, 66, 67, and 68.

EDPB Guidelines 9/2022 on personal data breach notification under GDPR, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, and 16.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 3/2018 on the territorial scope of the GDPR, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, and 15.

Question # 18

The GDPR forbids the practice of â€œforum shoppingâ€, which occurs when companies do what?

Choose the data protection officer that is most sympathetic to their business concerns.

Designate their main establishment in member state with the most flexible practices.

File appeals of infringement judgments with more than one EU institution simultaneously.

Select third-party processors on the basis of cost rather than quality of privacy protection.

Full Access

Question # 19

According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?

The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.

The shop operator should provide full notice of the intended video surveillance outside the shop, for example with a sign or a stand-up display.

The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects every time they enter the shop.

The shop operator should provide the most important information on a clearly readable warning sign to data subjects before they enter the monitored area, and additional mandatory details by other means.

Full Access

Question # 20

Which aspect of processing does the GDPR allow processors to determine for themselves?

The question of whether the controller needs to be informed about the substitution of another processor carrying out specific processing activities on behalf of the controller.

Their own purposes for the processing, if such purposes are compatible with those for which the personal data were initially collected.

The parameters of their marketing campaigns using personal data relating to the controller's customers.

Their own type of hardware or software and the specific security measures for the processing.

Full Access

Answer:

Explanation:

The GDPR defines processors as entities that process personal data on behalf of controllers, typically under a contract or other legal act that sets out the subject matter, duration, nature, purpose, type and categories of personal data, and the obligations and rights of the controller. Processors must act only on the documented instructions of the controller, unless required by law to act otherwise. Processors must also comply with the GDPRâ€™s requirements regarding the security, confidentiality, transfer, sub-processing, notification, assistance, cooperation, and documentation of the personal data processing.

However, the GDPR does not prescribe the exact technical and organisational measures that processors must implement to ensure the security of the personal data processing. Instead, the GDPR requires that processors take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of data subjects. Therefore, processors have some discretion to determine their own type of hardware or software and the specific security measures for the processing, as long as they provide a level of security appropriate to the risk and comply with the controllerâ€™s instructions. Processors may also adhere to approved codes of conduct or certification mechanisms to demonstrate their compliance with the GDPRâ€™s security requirements.

The other options listed in the question are not aspects of processing that the GDPR allows processors to determine for themselves. According to the GDPR:

Processors must inform the controller of any intended changes concerning the addition or replacement of other processors, and give the controller the opportunity to object to such changes. Processors must also impose the same data protection obligations on any sub-processors as those agreed with the controller.

Processors must not process the personal data for their own purposes, unless they have a legal basis to do so and inform the data subjects accordingly. Processors must only process the personal data for the purposes determined by the controller, and in accordance with the controllerâ€™s instructions.

Processors must not use the personal data relating to the controllerâ€™s customers for their own marketing campaigns, unless they have obtained the consent of the data subjects or have another legitimate interest to do so. Processors must respect the data subjectsâ€™ rights to object to direct marketing and to withdraw their consent at any time.

References:

GDPR, Articles 4, 28, 29, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42 and 43.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.

Question # 21

A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

The school places a notice near each camera.

The school gets explicit consent from the students.

Processing is necessary for the legitimate interests pursed by the school.

A state law requires facial recognition to verify attendance.

Full Access

Answer:

Explanation:

[Reference: https://www.jdsupra.com/legalnews/let-s-face-it-facial-recognition-1134180/, Â The use of facial recognition technology to track student attendance involves the processing of biometric data, which is a special category of personal data under the GDPR.Â Such data can only be processed under certain conditions, one of which is the explicit consent of the data subject1. Therefore, the school may provide a lawful basis for this processing if it obtains the explicit consent of the students (or their legal guardians, if the students are minors).Â The consent must be freely given, specific, informed and unambiguous, and the students must have the right to withdraw their consent at any time2. The other options do not provide a lawful basis for this processing, as they do not meet the requirements for processing special categories of data.Â Placing a notice near each camera does not constitute consent, nor does it comply with the transparency principle3.Â Processing for the legitimate interests of the school may be a valid basis for processing personal data in general, but not for processing biometric data, unless it is authorised by a specific law that provides suitable safeguards4.Â A state law that requires facial recognition to verify attendance may also be a valid basis for processing personal data in general, but not for processing biometric data, unless it is necessary for reasons of substantial public interest and provides suitable safeguards5.Â References:, Free CIPP/E Study Guide, page 24, section 3.2, CIPP/E Certification, page 19, section 3.2, Cipp-e Study guides, Class notes & Summaries, page 17, section 3.2, Special categories of personal data - General Data Protection Regulation (GDPR), Article 9, Consent - General Data Protection Regulation (GDPR), Article 7, Principles - General Data Protection Regulation (GDPR), Article 5, Lawfulness of processing - General Data Protection Regulation (GDPR), Article 6, Special categories of personal data - General Data Protection Regulation (GDPR), Article 9, ]

Question # 22

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

The right to request access to the personal data a controller holds about them.

The right to request the deletion of data a controller holds about them.

The right to opt-out of the sale of their personal data to third parties.

The right to request restriction of processing of personal data, under certain scenarios.

Full Access

Question # 23

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

The Court of Justice of the European Union.

The European Data Protection Supervisor.

The European Court of Human Rights.

The European Data Protection Board.

Full Access

Answer:

Explanation:

[Reference: https://www.privacy-regulation.eu/en/recital-143-GDPR.htm, Â The Court of Justice of the European Union (CJEU) is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The CJEU consists of two courts: the Court of Justice and the General Court. The CJEU ensures the uniform interpretation and application of EU law across the EU and settles disputes between EU institutions, member states, and individuals., According to the EU Treaties, EU Member-Statesâ€™ courts may â€“ or, in case no appeal from their decisions is possible, must â€“ ask the CJEU to rule on the interpretation and validity of disputed provisions of EU law. Such decisions are known as preliminary rulings, by which the CJEU expresses its ultimate authority to interpret EU law and which are binding for all national courts in the EU when they apply those specific provisions in individual cases. Since May 2018 â€“ when the GDPR became applicable across the EU -, the CJEU has played an important role in clarifying the meaning and scope of some of its key concepts. For instance, the Court notably ruled that two parties as different as a website owner that has embedded a Facebook plugin and Facebook may be qualified as joint controllers by taking converging decisions ( Fashion ID case ), that consent for online data processing is not validly expressed through pre-ticked boxes ( Planet49 case) and that the European Commission Decision to grant adequacy to the EU-US Privacy Shield framework is invalid as a mechanism for international data transfers, and supplemental measures may be necessary to lawfully transfer data outside of the EU on the basis of Commission-vetted model clauses (in the Schrems II case )., Therefore, to receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to the Court of Justice of the European Union, which is the ultimate authority on EU law and the GDPR., References:, GDPR, Court of Justice of the European Union, Court of Justice of the European Union - International Association of Privacy Professionals, Judicial enforcement of EU law | European Foundation for the Improvement of Living and Working Conditions, [Competences of the Court of Justice of the European Union], ]

Question # 24

A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?

Obtain specific consent for the new processing

Only inform the data subjects of the new purpose.

Proceed no further, as such repurposing is unlawful

Update the privacy notice upon which consent was given

Full Access