CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:

<< First
Prev
2
3
4
5
6
7
8
9
10
11
Next
Last >>

Question # 57

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMickâ€™s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clientsâ€™ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoftâ€™s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companiesâ€™ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liemâ€™s as well as EcoMickâ€™s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liemâ€™s products, she has never shopped EcoMick, nor provided her personal data to that company.

Under the GDPR, Liem and EcoMickâ€™s contract with MarketIQ must include all of the following provisions EXCEPT?

Processing the personal data upon documented instructions regarding data transfers outside of the EEA.

Notification regarding third party requests for access to Liem and EcoMickâ€™s personal data.

Assistance to Liem and EcoMick in their compliance with data protection impact assessments.

Returning or deleting personal data after the end of the provision of the services.

Full Access

Question # 58

According to the Personal Data Protection Commission's (PDPC) "Guide to basic data anonymization techniques," recently adopted by the Spanish

Data Protection Agency, which of the following is NOT a valid basic anonymization technique?

Swapping.

Generalization.

Data Adjustment.

Attribute Suppression.

Full Access

Question # 59

Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

Anonymizing special categories of data.

Conducting regular audits of the data protection program.

Getting consent from the data subject for a cross border data transfer.

Encrypting data in transit and at rest using strong encryption algorithms.

Full Access

Question # 60

MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?

Yes, because MagicClean is processing data in the EU

Yes. because MagicClean's data processing agreement with the French processor is an establishment in the EU

No, because MagicClean is located m the United States only.

No. because MagicClean is not offering services to EU data subjects.

Full Access

Question # 61

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the companyâ€™s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer childrenâ€™s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figureâ€™s integrated

speakers, making it appear as though that the toy is actually responding to the childâ€™s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figuresâ€™ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the characterâ€™s abilities remain intact.

What presents the BIGGEST potential privacy issue with the companyâ€™s practices?

The NFC portal can read any data stored in the action figures

The information about the data processing involved has not been specified

The cloud service provider is in a country that has not been deemed adequate

The RFID tag in the action figures has the potential for misuse because of the toyâ€™s evolving capabilities

Full Access

Question # 62

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

The controller will be liable to pay an administrative fine

The processor will be liable to pay compensation to affected data subjects

The processor will be considered to be a controller in respect of the processing concerned

The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Full Access

Question # 63

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to

Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesnâ€™t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the companyâ€™s app, like storage and sharing of DNA information with other applications and medical providers. The companyâ€™s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customersâ€™ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesnâ€™t include any technology or infrastructure; rather, itâ€™s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bobâ€™s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

Get consent from the app users.

Provide a transparent notice to users.

Anonymize the data and add latency so it avoids disclosing real time locations.

Obtain a court order because location data is a special category of personal data.

Full Access

Answer:

Explanation:

Â According to the GDPR, location data is a type of personal data that can reveal information about an individualâ€™s habits, preferences, or movements1.Â Location data can also be considered as a special category of personal data if it reveals information about an individualâ€™s health, ethnic origin, or religious beliefs2.Â Therefore, location data is subject to the GDPRâ€™s rules on the lawful processing of personal data, which require a valid legal basis, such as consent, contract, legal obligation, vital interest, public interest, or legitimate interest2.

In this scenario, Who-R-U decides to track locations using its app, which means that it collects and processes location data from its app users. This data can be used to identify the app users, as well as to infer information about their interests, preferences, or behavior.Â Therefore, Who-R-U needs to comply with the GDPR, even if it only offers its services to Canadians, because it monitors the behavior of individuals in the EU2.

One of the possible legal bases for processing location data is consent, which means that the app users must give their informed, specific, and freely given agreement to the collection and use of their location data2.Â Consent must be obtained before the processing starts, and it must be easy to withdraw at any time2.Â Consent must also be granular, meaning that the app users must be able to choose which purposes and types of location data they agree to share1.

Therefore, if Who-R-U decides to track locations using its app, it must get consent from the app users, and provide them with clear and transparent information about how, why, and for how long their location data will be processed, who will have access to it, and what rights they have under the GDPR12.Â Who-R-U must also ensure that the consent is voluntary, and that the app users can opt out of location tracking without affecting the functionality or quality of the app12.Â References:Â 1Â Policy Brief: Location Data Under Existing Privacy Laws | FPF. Available at:Â 5Â (Accessed: 11 December 2023)2Â What is the General Data Protection Regulation (GDPR)? | Cloudflare. Available at:Â 6Â (Accessed: 11 December 2023).

Question # 64

An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?

Only where the organisation can show that it is reasonable to do so because more than one request was made.

Only to the extent this is allowed under the restrictions on data subjectsâ€™ rights introduced under Art 23 of GDPR.

Only where the administrative costs of taking the action requested exceeds a certain threshold.

Only if the organisation can demonstrate that the request is clearly excessive or misguided.

Full Access