Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:
Question # 33

You are the new Data Protection Officer for your company and have to determine whether the company has implemented appropriate technical and organizational measures as required by Article 32 of the GDPR. Which of the following would be the most important to consider when trying to determine this?

A.

How security measures might evolve in the future

B.

Which security measures are endorsed by a majority of experts.

C.

How the public perceives what constitutes adequate security measures

D.

Which kinds of security measures your company has employed in the past

Full Access
Question # 34

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

A.

They are allowed if determined to be technically necessary.

B.

They do not amount to valid consent under any circumstances.

C.

They are allowed if recorded In the register of processing activities.

D.

They constitute valid consent if the processing is necessary for purposes of legitimate interest

Full Access
Question # 35

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism should Jackie recommend for using InstaHR?

A.

Adequacy

B.

Binding corporate rules.

C.

Explicit consent of employees.

D.

Standard contractual clauses

Full Access
Question # 36

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

A.

Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.

B.

Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

C.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

D.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Full Access
Question # 37

Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

A.

The ability to enact new laws by executive order.

B.

The right to access data for investigative purposes.

C.

The discretion to carry out goals of elected officials within the member state.

D.

The authority to select penalties when a controller is found guilty in a court of law.

Full Access
Question # 38

What is the primary purpose of Convention 108+, which amends the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data?

A.

To issue updated guidelines for data transfers from the EU to third-country signatories to the Convention.

B.

To modify the process for third countries to obtain an adequacy decision from the European Commission.

C.

To strengthen data protection in line with the European and international regulatory framework.

D.

To establish new data subject rights and safeguards for consumers in the EU member states.

Full Access
Question # 39

According to the AI Act, a provider of a high-risk AI system has all of the following obligations EXCEPT?

A.

Ensuring users understand how the system mitigates bias.

B.

Registering the system in the European AI Board’s database.

C.

Providing detailed documentation about the system to the users.

D.

Conducting a conformity assessment before placing the system on the market.

Full Access
Question # 40

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to

Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

A.

Get consent from the app users.

B.

Provide a transparent notice to users.

C.

Anonymize the data and add latency so it avoids disclosing real time locations.

D.

Obtain a court order because location data is a special category of personal data.

Full Access
Go to page: