CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
10
Next
Last >>

Question # 25

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the companyâ€™s

revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer childrenâ€™s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figureâ€™s integrated

speakers, making it appear as though that the toy is actually responding to the childâ€™s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figuresâ€™ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the characterâ€™s abilities remain intact.

In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

Encrypt the data in transit over the wireless Bluetooth connection.

Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.

Include three-factor authentication before each use by a child in order to ensure the best level of security possible.

Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.

Full Access

Answer:

Explanation:

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The GDPR also provides some examples of such measures, including the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In this scenario, the company is processing personal data of children, such as their voice, questions, preferences, and location, through the connected toys that use a wireless Bluetooth connection to communicate with smartphones, tablets, cloud servers, and other toys. This poses a high risk to the security of the data, as Bluetooth is a short-range wireless technology that can be easily intercepted, hacked, or compromised by malicious actors. Therefore, the company should encrypt the data in transit over the Bluetooth connection, to prevent unauthorized access, disclosure, or alteration of the data. Encryption is a process of transforming data into an unreadable form, using a secret key or algorithm, that can only be reversed by authorized parties who have the corresponding key or algorithm. Encryption can protect the data from being accessed or modified by anyone who does not have the key or algorithm, thus ensuring the confidentiality and integrity of the data.

The other options are incorrect because:

B. Including dual-factor authentication before each use by a child in order to ensure a minimum amount of security is not a sufficient measure to protect the data in transit over the Bluetooth connection. Dual-factor authentication is a process of verifying the identity of a user by requiring two pieces of evidence, such as a password and a code sent to a phone or email. While this may enhance the security of the userâ€™s account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, dual-factor authentication may not be suitable or convenient for children, who may not have access to a phone or email, or who may forget their passwords or codes.

C. Including three-factor authentication before each use by a child in order to ensure the best level of security possible is not a necessary or proportionate measure to protect the data in transit over the Bluetooth connection. Three-factor authentication is a process of verifying the identity of a user by requiring three pieces of evidence, such as a password, a code sent to a phone or email, and a biometric feature, such as a fingerprint or a face scan. While this may provide a high level of security for the userâ€™s account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Furthermore, three-factor authentication may not be appropriate or feasible for children, who may not have access to a phone or email, or who may not have reliable biometric features, or who may find the process too complex or cumbersome.

D. Inserting contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union, is not a relevant measure to protect the data in transit over the Bluetooth connection. Contractual clauses are legal agreements that specify the obligations and responsibilities of the parties involved in a data transfer, such as the level of data protection, the rights of data subjects, and the remedies for breaches. While contractual clauses may be necessary to ensure the compliance of the data transfer to South Africa, which is a non-EU country that does not have an adequacy decision from the European Commission, they do not address the security of the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, contractual clauses are not a technical or organisational measure, but a legal measure, that falls under a different provision of the GDPR, namely Article 46.

References:Â Article 32 and Recitals (75), (76), (78), (83), and (85) of the GDPR,Â Security of processing,Â Encryption,Â Authentication, [Contractual clauses]

Question # 26

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company Bâ€™s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company Aâ€™s factories. Company B wonâ€™t hold any biometric data itself, but the related data will be uploaded to Company Bâ€™s UK servers and used to provide the payroll service. Company Bâ€™s live systems will contain the following information for each of Company Aâ€™s employees:

Name

Address

Date of Birth

Payroll number

National Insurance number

Sick pay entitlement

Maternity/paternity pay entitlement

Holiday entitlement

Pension and benefits contributions

Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isnâ€™t sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesnâ€™t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company Bâ€™s live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company Câ€™s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company Câ€™s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company Aâ€™s employees is visible to anyone visiting Company Câ€™s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

Under the GDPR, which of Company Bâ€™s actions would NOT be likely to trigger a potential enforcement action?

Their omission of data protection provisions in their contract with Company C.

Their failure to provide sufficient security safeguards to Company Aâ€™s data.

Their engagement of Company C to improve their payroll service.

Their decision to operate without a data protection officer.

Full Access

Answer:

Explanation:

While Company B made several mistakes in handling Company A's employee data, not all of them would likely trigger a potential enforcement action under the GDPR. Here's an analysis of each option:

A. Omission of data protection provisions in the contract with Company C: This is a clear violation of the GDPR. Company B, as the data controller, is responsible for ensuring that any third-party processors comply with data protection requirements. By omitting data protection provisions in the contract, Company B failed to take appropriate steps to ensure the security and privacy of the personal data. This would be a likely trigger for an enforcement action.

B. Failure to provide sufficient security safeguards to Company A's data: This is another violation of the GDPR. Company B has a legal obligation to implement appropriate technical and organizational security measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The outdated IT security system at Company C's U.S. server demonstrates a failure to meet this obligation. This would also be a likely trigger for an enforcement action.

C. Engagement of Company C to improve their payroll service: While outsourcing certain aspects of data processing is permitted under the GDPR, the data controller remains ultimately responsible for compliance. However, simply engaging another company to improve a service itself isn't necessarily a violation. As long as the proper safeguards are in place and the data processing is carried out in accordance with the GDPR, this action alone would not likely trigger an enforcement action.

D. Decision to operate without a data protection officer: The GDPR requires certain organizations to appoint a data protection officer (DPO). While Company B may be required to have a DPO depending on its size and activities, the absence of a DPO wouldn't automatically trigger an enforcement action. However, it could indicate a lack of compliance culture and contribute to other violations, increasing the likelihood of an enforcement action.

Therefore, while Company B made several mistakes, only the ones that directly violate specific data protection requirements, such as omitting data protection provisions in contracts or failing to implement appropriate security measures, are likely to trigger an enforcement action. Engaging a third-party to improve a service, as long as it's done in a compliant manner, isn't a violation in itself.

Question # 27

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

Full Access

Question # 28

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the companyâ€™s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his fatherâ€™s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the companyâ€™s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customersâ€™ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customerâ€™s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friendâ€™s daughter, Alice, who just graduated from law school in the U.S., to be the companyâ€™s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the companyâ€™s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the companyâ€™s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyoneâ€™s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?

An information security risk by copying the data into a new database.

A potential legal liability and financial exposure from its customers.

A significant risk to the customersâ€™ fundamental rights and freedoms.

A significant risk due to the lack of an informed consent mechanism.

Full Access

Answer:

Explanation:

Â According to the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject1.Â The GDPR also recognizes that the processing of special categories of personal data, such as data revealing political opinions, religious or philosophical beliefs, or data concerning health or sex life, may entail a high risk to the rights and freedoms of natural persons2.Â Therefore, such data can only be processed under certain conditions, such as when the data subject has given explicit consent, or when the processing is necessary for reasons of substantial public interest3.

In this scenario, Ben had the company collect additional data from its customers, including their philosophical beliefs, political opinions and marital status, without a valid legal basis or a legitimate purpose. He also copied the data of the single customers onto a separate database for his own online dating website, without informing them or obtaining their consent. This processing of special categories of personal data created a significant risk to the customersâ€™ fundamental rights and freedoms, such as their right to privacy, dignity, non-discrimination and self-determination. The customers may also suffer from identity theft, fraud, harassment, or unwanted marketing as a result of the unauthorized use of their data. Therefore, Benâ€™s actions constituted the most serious violation of the GDPR in this scenario.

References:

Art. 5 GDPR â€“ Principles relating to processing of personal data

Recital 51 GDPR â€“ Protecting sensitive personal data

Art. 9 GDPR â€“ Processing of special categories of personal data

[Guidelines 3/2019 on processing of personal data through video devices]

I hope this helps you understand the GDPR and data processing better. If you have any other questions, please feel free to ask me. ðŸ˜Š

Question # 29

According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

When processed with the intent to publish information regarding a natural person on publicly accessible media.

When processed with the intent to proceed to scientific or historical research projects.

When processed with the intent to uniquely identify or authenticate a natural person.

When processed with the intent to comply with a law.

Full Access

Question # 30

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotronâ€™s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotronâ€™s legal department.

Registration Form

Vigotronâ€™s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotronâ€™s cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customerâ€™s name, email address or any other information gathered from the app to any third- party without a customerâ€™s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturerâ€™s legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name:

Surname:

Year of birth:

Email:

Physical Address (optional*):

Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. [â€¦]

2.Applicable law. [â€¦]

3.Limitation of liability. [â€¦]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

What is one potential problem Vigotronâ€™s age policy might encounter under the GDPR?

Age restrictions are more stringent when health data is involved.

Users are only required to be aged 13 or over to be considered adults.

Organizations must make reasonable efforts to verify parental consent.

Organizations that tie a service to marketing must seek consent for each purpose.

Full Access

Question # 31

How does the GDPR now define â€œprocessingâ€?

Any act involving the collecting and recording of personal data.

Any operation or set of operations performed on personal data or on sets of personal data.

Any use or disclosure of personal data compatible with the purpose for which the data was collected.

Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Full Access

Question # 32

The EDPB's Guidelines 8/2020 on the targeting of social media users stipulates that in order to rely on legitimate interest as a legal basis to process personal data, three tests must be passed. Which of the following is NOT one of the three tests?

Purpose test.

Necessity test.

Balancing test.

Adequacy test.

Full Access