CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:

<< First
Prev
2
3
4
5
6
7
8
9
10
11
Next
Last >>

Question # 49

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

Data Subject Rights.

Right of Action.

Necessity.

Consent.

Full Access

Question # 50

SCENARIO - Please use the following to answer the next question:

It has been a tough season for the Spanish Handball League, with acts of violence and racism having increased exponentially during their last few matches.

In order to address this situation, the Spanish Minister of Sports, in conjunction with the National Handball League Association, issued an Administrative Order (the "Act") obliging all the professional clubs to install a fingerprint-reading system for accessing some areas of the sports halls, primarily the ones directly behind the goalkeepers. The rest of the areas would retain the current access system, which allows any spectators access as long as they hold valid tickets.

The Act named a selected hardware and software provider, New Digital Finger, Ltd., for the creation of the new fingerprint system. Additionally, it stipulated that any of the professional clubs that failed to install this system within a two-year period would face fines under the Act.

The Murla HB Club was the first to install the new system, renting the New Digital Finger hardware and software. Immediately afterward, the Murla HB Club automatically renewed current supporters' subscriptions, while introducing a new contractual clause requiring supporters to access specific areas of the hall through the new fingerprint reading system installed at the gates.

After the first match hosted by the Murla HB Club, a local supporter submitted a complaint to the club and to the Spanish Data Protection Authority (the AEPD), claiming that the new access system violates EU data protection laws. Having been notified by the AEPD of the upcoming investigation regarding this complaint, the Murla HB Club immediately carried out a Data Protection Impact Assessment (DPIA), the conclusions of which stated that the new access system did not pose any high risks to data subjectsâ€™ privacy rights.

The Murla HB Club should have carried out a DPIA before the installation of the new access system and at what other time?

After the complaint of the supporter.

Periodically, when new risks were foreseen.

At the end of every match of the season.

After the AEPD notification of the investigation.

Full Access

Question # 51

Please use the following to answer the next question:

WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkidsâ€™ website states the following:

â€œWonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your childâ€™s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your childâ€™s personal information. We will only share you and your childâ€™s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.â€

â€œWe may retain you and your childâ€™s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.â€

â€œWe are processing you and your childâ€™s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your childâ€™s personal information; rectify or erase you or your childâ€™s personal information; the right to correction or erasure of you and/or your childâ€™s personal information; object to any processing of you and your childâ€™s personal information. You also have the right to complain to the supervisory authority about our data processing activities.â€

What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

No marketing information at all.

Any marketing information at all.

Marketing information related to other business operations of WonderKids.

Marketing information for products or services similar to those purchased from WonderKids.

Full Access

Question # 52

In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

If the cookies do not track personal data, then pre-checked boxes are acceptable.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Full Access

Question # 53

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the companyâ€™s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his fatherâ€™s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the companyâ€™s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customersâ€™ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customerâ€™s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friendâ€™s daughter, Alice, who just graduated from law school in the U.S., to be the companyâ€™s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the companyâ€™s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the companyâ€™s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyoneâ€™s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

In preparing the company for its impending lawsuit, Aliceâ€™s instruction to the companyâ€™s IT Department violated Article 5 of the GDPR because the company failed to first do what?

Send out consent forms to all of its employees.

Minimize the amount of data collected for the lawsuit.

Inform all of its employees about the lawsuit.

Encrypt the data from all of its employees.

Full Access

Question # 54

Many businesses print their employeesâ€™ photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.

Because photographs qualify as biometric data only when they undergo a â€œspecific technical processingâ€.

Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.

Because photographic ID is a physical security measure which is â€œnecessary for reasons of substantial public interestâ€.

Full Access

Question # 55

In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

When creating an untargeted pop-up ad on a website.

When calling a potential customer to notify her of an upcoming product sale.

When emailing a customer to announce that his recent order should arrive earlier than expected.

When paying a search engine company to give prominence to certain products and services within specific search results.

Full Access

Answer:

Explanation:

Â The ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) are two EU laws that regulate different aspects of personal data processing. The ePD focuses on electronic communications and the use of cookies and similar technologies, while the GDPR covers the broader principles and rights of data protection. Both laws apply to any organization that processes personal data of individuals in the EU, regardless of where the organization is located.

Option D involves both electronic communication and personal data processing, and therefore requires compliance with both ePD and GDPR. Paying a search engine company to give prominence to certain products and services within specific search results implies the use of cookies or similar technologies to track the online behavior of users and target them with personalized ads. This requires the consent of the users under the ePD, as well as the provision of clear and comprehensive information about the purpose and scope of the data processing. Moreover, the organization must comply with the GDPR requirements for data protection by design and by default, data minimization, data security, data subject rights, and accountability.

Option A only involves the use of cookies or similar technologies, and therefore only requires compliance with the ePD. Creating an untargeted pop-up ad on a website does not involve the processing of personal data, as the ad is not based on the online behavior or preferences of the users. However, the organization must still obtain the consent of the users for the use of cookies or similar technologies, and provide them with clear and comprehensive information about the purpose and scope of the data processing.

Option B only involves the processing of personal data, and therefore only requires compliance with the GDPR. Calling a potential customer to notify her of an upcoming product sale involves the collection and use of the customerâ€™s personal data, such as name, phone number, and purchase history. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.

Option C only involves the processing of personal data, and therefore only requires compliance with the GDPR. Emailing a customer to announce that his recent order should arrive earlier than expected involves the use of the customerâ€™s personal data, such as name, email address, and order details. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.Â References:

Free CIPP/E Study Guide, page 15, section 2.3.3

CIPP/E Certification, page 10, section 1.1.2

Cipp-e Study guides, Class notes & Summaries, document â€œCIPP/E Exam Summary 2023â€, page 42, section 2.3.3

ePrivacy: The EUâ€™s other data protection rule

The New Rules of Data Privacy

A guide to GDPR data privacy requirements

A guide to the data protection principles

[Reference: https://www.privacytrust.com/guidance/gdpr-vs-eprivacy-regulation.html, ]

Question # 56

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Bradyâ€™s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Bradyâ€™s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Boxâ€™s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Boxâ€™s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Boxâ€™s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Bradyâ€™s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designsâ€™ handling of customer personal data?

The data is sensitive.

The data is uncategorized.

The data is being used for a new purpose.

The data is being processed via a new means.

Full Access