Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:
Question # 25

With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

A.

If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.

B.

When it has been determined that adequate protection can be performed.

C.

Only if the Data Protection Impact Assessment (DPIA) shows low risk.

D.

Only as a last resort and when interpreted restrictively.

Full Access
Question # 26

What monitoring may lawfully be performed within the scope of Gentle Hedgehog's business?

A.

Everything offered by Sauron Eye's software in relation to activity by sales team contractors.

B.

Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring.

C.

Only emails, website browsing history, and camera for internal video calls conducted in a non-secure environment.

D.

Only emails, website browsing history, and camera for internal video calls that are expressly marked as monitored.

Full Access
Question # 27

Select the answer below that accurately completes the following:

“The right to compensation and liability under the GDPR…

A.

…provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.”

B.

…precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing.”

C.

...can only be exercised against the data controller, even if a data processor was involved in the same processing.”

D.

…is limited to a maximum amount of EUR 20 million per event of damage or loss.”

Full Access
Question # 28

SCENARIO

Please use the following to answer the next question:

Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.

What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

A.

Information about DPIAs found in Articles 38 through 40 of the GDPR.

B.

Data breach documentation that data controllers are required to maintain.

C.

Existing DPIA guides published by local supervisory authorities.

D.

Records of processing activities that data controllers are required to maintain.

Full Access
Question # 29

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no

longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.

Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

A.

Assessed potential privacy risks by conducting a data protection impact assessment.

B.

Consulted with the relevant data protection authority about potential privacy violations.

C.

Distributed a more comprehensive notice to employees and received their express consent.

D.

Consulted with the Information Security team to weigh security measures against possible server impacts.

Full Access
Question # 30

There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

A.

Consent management and withdrawal.

B.

Incident detection and response.

C.

Preventative security.

D.

Remedial security.

Full Access
Question # 31

Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?

A.

When an individual has not consented to the marketing.

B.

When an individual’s details are obtained from their inquiries about buying a product.

C.

Where an individual’s details have been obtained from a bought-in marketing list.

D.

Where an individual is given the ability to unsubscribe from marketing emails sent to him.

Full Access
Question # 32

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

The Customer for Life plan may conflict with which GDPR provision?

A.

Article 6, which requires processing to be lawful.

B.

Article 7, which requires consent to be as easy to withdraw as it is to give.

C.

Article 16, which provides data subjects with a rights to rectification.

D.

Article 20, which gives data subjects a right to data portability.

Full Access
Go to page: