CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
10
Next
Last >>

Question # 33

You are the new Data Protection Officer for your company and have to determine whether the company has implemented appropriate technical and organizational measures as required by Article 32 of the GDPR. Which of the following would be the most important to consider when trying to determine this?

How security measures might evolve in the future

Which security measures are endorsed by a majority of experts.

How the public perceives what constitutes adequate security measures

Which kinds of security measures your company has employed in the past

Full Access

Question # 34

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

They are allowed if determined to be technically necessary.

They do not amount to valid consent under any circumstances.

They are allowed if recorded In the register of processing activities.

They constitute valid consent if the processing is necessary for purposes of legitimate interest

Full Access

Question # 35

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism should Jackie recommend for using InstaHR?

Adequacy

Binding corporate rules.

Explicit consent of employees.

Standard contractual clauses

Full Access

Answer:

Explanation:

According to the GDPR, any transfer of personal data to a third country or an international organisation must be based on an adequacy decision by the Commission, appropriate safeguards by the data exporter and importer, or derogations for specific situations1. In this scenario, InstaHR is an Australian based company that processes personal data on behalf of ProStorage, a Dutch based company.Â Australia is not recognised by the Commission as a country that provides an adequate level of data protection2, so the adequacy option is not available.Â Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies or organisations that define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection3. However, BCRs are not applicable in this case, as InstaHR is not part of the same corporate group as ProStorage.Â Explicit consent of employees is a possible derogation for specific situations, but it is not a reliable or practical transfer mechanism, as it must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time4. Therefore, the most suitable transfer mechanism for using InstaHR is standard contractual clauses (SCCs). SCCs are contractual clauses that have been pre-approved by the Commission and that provide appropriate safeguards for data protection when transferring personal data from the EU/EEA to third countries. SCCs are legally binding and enforceable by data subjects, and they impose obligations on both the data exporter and the data importer.Â SCCs are widely used by data controllers and processors as a transfer mechanism under the GDPR.Â References:Â 1: Art.Â 44 GDPR - General principle for transfers22: Adequacy decisions - European Commission13: Binding corporate rules - European Commission14: Article 7 of the GDPR.Â : Standard Contractual Clauses (SCC) - European Commission1.

Question # 36

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customersâ€™ data to third parties, and heâ€™s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louisâ€™s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentableâ€™s response letter confirms Louisâ€™s suspicions. Accidentable is Bedrock Insuranceâ€™s wholly owned subsidiary, and they received information about Louisâ€™s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louisâ€™s contract included, a provision in which he agreed to share his information with Bedrockâ€™s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrockâ€™s obligation in regard to Louisâ€™s data portability request?

Bedrock does not have a duty to transfer Louisâ€™s data to Zantrum if doing so is legitimately not technically feasible.

Bedrock does not have to transfer Louisâ€™s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

Bedrock has failed to comply with the duty to transfer Louisâ€™s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

Bedrock has failed to comply with the duty to transfer Louisâ€™s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Full Access

Question # 37

Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

The ability to enact new laws by executive order.

The right to access data for investigative purposes.

The discretion to carry out goals of elected officials within the member state.

The authority to select penalties when a controller is found guilty in a court of law.

Full Access

Question # 38

What is the primary purpose of Convention 108+, which amends the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data?

To issue updated guidelines for data transfers from the EU to third-country signatories to the Convention.

To modify the process for third countries to obtain an adequacy decision from the European Commission.

To strengthen data protection in line with the European and international regulatory framework.

To establish new data subject rights and safeguards for consumers in the EU member states.

Full Access

Question # 39

According to the AI Act, a provider of a high-risk AI system has all of the following obligations EXCEPT?

Ensuring users understand how the system mitigates bias.

Registering the system in the European AI Boardâ€™s database.

Providing detailed documentation about the system to the users.

Conducting a conformity assessment before placing the system on the market.

Full Access

Question # 40

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to

Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesnâ€™t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the companyâ€™s app, like storage and sharing of DNA information with other applications and medical providers. The companyâ€™s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customersâ€™ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesnâ€™t include any technology or infrastructure; rather, itâ€™s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bobâ€™s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

Get consent from the app users.

Provide a transparent notice to users.

Anonymize the data and add latency so it avoids disclosing real time locations.

Obtain a court order because location data is a special category of personal data.

Full Access

Answer:

Explanation:

Â According to the GDPR, location data is a type of personal data that can reveal information about an individualâ€™s habits, preferences, or movements1.Â Location data can also be considered as a special category of personal data if it reveals information about an individualâ€™s health, ethnic origin, or religious beliefs2.Â Therefore, location data is subject to the GDPRâ€™s rules on the lawful processing of personal data, which require a valid legal basis, such as consent, contract, legal obligation, vital interest, public interest, or legitimate interest2.

In this scenario, Who-R-U decides to track locations using its app, which means that it collects and processes location data from its app users. This data can be used to identify the app users, as well as to infer information about their interests, preferences, or behavior.Â Therefore, Who-R-U needs to comply with the GDPR, even if it only offers its services to Canadians, because it monitors the behavior of individuals in the EU2.

One of the possible legal bases for processing location data is consent, which means that the app users must give their informed, specific, and freely given agreement to the collection and use of their location data2.Â Consent must be obtained before the processing starts, and it must be easy to withdraw at any time2.Â Consent must also be granular, meaning that the app users must be able to choose which purposes and types of location data they agree to share1.

Therefore, if Who-R-U decides to track locations using its app, it must get consent from the app users, and provide them with clear and transparent information about how, why, and for how long their location data will be processed, who will have access to it, and what rights they have under the GDPR12.Â Who-R-U must also ensure that the consent is voluntary, and that the app users can opt out of location tracking without affecting the functionality or quality of the app12.Â References:Â 1Â Policy Brief: Location Data Under Existing Privacy Laws | FPF. Available at:Â 5Â (Accessed: 11 December 2023)2Â What is the General Data Protection Regulation (GDPR)? | Cloudflare. Available at:Â 6Â (Accessed: 11 December 2023).

Go to page: