Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:
Question # 41

According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

A.

Right to restriction of processing.

B.

Right to erasure ("Right to be forgotten").

C.

Right to lodge a complaint with a supervisory authority.

D.

Right not to be subject to automated individual decision-making

Full Access
Question # 42

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

A.

Inform the subjects about the collection

B.

Provide a public notice regarding the data

C.

Upgrade security to match that of the source

D.

Update the data within a reasonable timeframe

Full Access
Question # 43

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether

the processing could be considered a "cross-border processing"?

A.

The total number of the data subjects interested.

B.

The potential harm for the data subjects affected.

C.

The limitation of rights of the data subjects concerned.

D.

The exposure of the information of the data subjects involved.

Full Access
Question # 44

According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?

A.

The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.

B.

The shop operator should provide full notice of the intended video surveillance outside the shop, for example with a sign or a stand-up display.

C.

The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects every time they enter the shop.

D.

The shop operator should provide the most important information on a clearly readable warning sign to data subjects before they enter the monitored area, and additional mandatory details by other means.

Full Access
Question # 45

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

Which would be the most appropriate legal basis for this processing under GDPR, Article 9 (Processing of special categories of personal data)?

A.

Processing necessary for scientific or statistical purposes.

B.

Processing necessary for reasons of substantial public interest.

C.

Processing necessary for purposes of preventive or occupational medicine.

D.

Processing necessary for the defense of legal claims in potential negligence cases.

Full Access
Question # 46

How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

A.

App developers will expand the amount of data necessary to collect for an app’s functionality.

B.

Users will be given granular types of consent for particular types of processing.

C.

App developers’ responsibilities as data controllers will increase.

D.

Users will see fewer advertisements when using apps.

Full Access
Question # 47

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information

is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

For what reason would JaphSoft be considered a controller under the GDPR?

A.

It determines how long to retain the personal data collected.

B.

It has been provided access to personal data in the MarketIQ database.

C.

It uses personal data to improve its products and services for its client-base through machine learning.

D.

It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

Full Access
Question # 48

Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

A.

When the personal data is processed only in non-electronic form

B.

When the personal data is collected and then pseudonymised by the controller

C.

When the personal data is held by the controller but not processed for further purposes

D.

When the personal data is processed by an individual only for their household activities

Full Access
Go to page: