Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:
Question # 49

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated

speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

To ensure GDPR compliance, what should be the company’s position on the issue of consent?

A.

The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.

B.

Written authorization attesting to the responsible use of children’s data would need to be obtained from the supervisory authority.

C.

Consent for data collection is implied through the parent’s purchase of the action figure for the child.

D.

Parental consent for a child’s use of the action figures would have to be obtained before any data could be collected.

Full Access
Question # 50

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

What is the time period in which Mike should receive a response to his request?

A.

Not more than one month of receipt of Mike’s request.

B.

Not more than two months after verifying Mike’s identity.

C.

When all the information about Mike has been collected.

D.

Not more than thirty days after submission of Mike’s request.

Full Access
Question # 51

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

A.

Accuracy

B.

Storage Limitation

C.

Integrity and confidentiality

D.

Lawfulness, fairness and transparency

Full Access
Question # 52

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?

A.

A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.

B.

A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.

C.

A health professional involved in the medical care for the data subject, where the data subject’s life hinges on the timely dissemination of such information.

D.

A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.

Full Access
Question # 53

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

A.

Employees must sign an ad hoc contractual agreement each time personal data is exported.

B.

All employees are subject to the rules in their entirety, regardless of where the work is taking place.

C.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D.

Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Full Access
Question # 54

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

A.

The Court of Justice of the European Union.

B.

The European Data Protection Supervisor.

C.

The European Court of Human Rights.

D.

The European Data Protection Board.

Full Access
Question # 55

According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?

A.

If the data subject access request was sent to an employee that is not involved in the processing of such requests.

B.

If there is such a large amount of data that the controller cannot identify the data subject of the request.

C.

If the controller is unable to use end-to-end encrypted emails for responding to such requests.

D.

If the personal data was processed in the past but is no longer at the controller's disposal at the time of the request.

Full Access
Question # 56

Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

A.

The European Commission can adopt an adequacy decision for individual companies.

B.

The European Commission can adopt, repeal or amend an existing adequacy decision.

C.

EU member states are vested with the power to accept or reject a European Commission adequacy decision.

D.

To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

Full Access
Go to page: