CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Go to page:

<< First
Prev
2
3
4
5
6
7
8
9
10
11
Next
Last >>

Question # 65

As a result of the European Court of Justiceâ€™s ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulationâ€™s right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

Supervised by the same Data Protection Officer.

Consistent with Privacy Shield requirements

Bound by a standard contractual clause.

Inextricably linked in their businesses.

Full Access

Question # 66

Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?

The Directive was superseded by the EU Directive on Privacy and Electronic Communications.

The Directive was superseded by the General Data Protection Regulation.

The Directive was annulled by the Court of Justice of the European Union.

The Directive was annulled by the European Court of Human Rights.

Full Access

Question # 67

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

If the data protection officer lacks ISO 27001 auditor certification.

If the data protection officer is provided by the data processor.

If the data protection officer also manages the marketing budget.

If the data protection officer receives instructions from the data controller.

Full Access

Answer:

Explanation:

[Reference: https://www.itgovernance.eu/fr-lu/data-protection-officer-dpo-under-the-gdpr-lu, A data controller appointing a data protection officer who lacks ISO 27001 auditor certification would not result in an infringement of Articles 37 to 39 of the GDPR.Â According to Article 37 (5) of the GDPR, the data protection officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39Â 1.Â However, the GDPR does not specify any formal qualifications or certifications that the data protection officer must have, and leaves it to the discretion of the controller or the processor to determine the level of expertise required, depending on the complexity and sensitivity of the data processing activitiesÂ 2. Therefore, the lack of ISO 27001 auditor certification, which is a standard for information security management systems, does not necessarily mean that the data protection officer is not qualified or competent for the role., The other options are incorrect because they would result in an infringement of Articles 37 to 39 of the GDPR.Â According to Article 37 (6) of the GDPR, the data protection officer may be a staff member of the controller or the processor, or fulfil the tasks on the basis of a service contractÂ 1.Â However, the data protection officer must be independent and report directly to the highest management level of the controller or the processorÂ 3.Â Therefore, if the data protection officer is provided by the data processor, there may be a conflict of interest or a lack of autonomy, which would violate Article 38 (3) and (6) of the GDPRÂ 4., According to Article 38 (6) of the GDPR, the data protection officer may fulfil other tasks and duties, provided that they do not result in a conflict of interestsÂ 4.Â However, managing the marketing budget would likely involve a conflict of interests, as the data protection officer would have to oversee and advise on the data processing activities related to marketing, which may not be compatible with his or her role as a data protection officerÂ 5.Â Therefore, if the data protection officer also manages the marketing budget, this would infringe Article 38 (6) of the GDPRÂ 4., According to Article 38 (3) of the GDPR, the data protection officer must not receive any instructions regarding the exercise of his or her tasksÂ 4.Â The data protection officer must act in an independent manner and perform the tasks assigned by the GDPR, such as informing and advising the controller or the processor and the employees, monitoring compliance, cooperating with the supervisory authority, and acting as the contact point for data subjects and the supervisory authorityÂ 6.Â Therefore, if the data protection officer receives instructions from the data controller, this would infringe Article 38 (3) of the GDPRÂ 4.Â References:Â 1: Article 37 of the GDPRÂ 2:Â Guidelines on Data Protection Officers (â€˜DPOsâ€™)Â 3: Article 38 (2) of the GDPRÂ 4: Article 38 of the GDPRÂ 5:Â Data protection officer (DPO) | European CommissionÂ 6: Article 39 of the GDPR, ]

Question # 68

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the companyâ€™s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.â€™s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories â€“ age, income, ethnicity â€“ that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new websiteâ€™s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the websiteâ€™s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.â€™s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techivaâ€™s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the companyâ€™s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

The resulting obligation to notify data subjects would involve disproportionate effort.

The incident resulted from the actions of a third-party that were beyond their control.

The destruction of the stolen data makes any risk to the affected data subjects unlikely.

The sensitivity of the categories of data involved in the incident was not substantial enough.

Full Access

Answer:

Explanation:

According to the GDPR, data controllers must report personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art 33 of GDPR). However, the notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art 33(1) of GDPR). In this case, TripBliss Inc. could argue that the stolen data was securely erased by Leon before it could be disclosed to anyone else, and therefore the risk of harm to the data subjects was minimal. TripBliss Inc. would have to provide evidence of the secure deletion of the data and the absence of any copies or backups. Alternatively, TripBliss Inc. could also invoke the exception of disproportionate effort to avoid notifying the data subjects directly, but only if they have made a public communication or similar measure to inform them in an equally effective manner (Art 34(3)(b) of GDPR). The other options are not valid defenses, as they do not affect the likelihood of risk to the data subjects. The incident was not caused by a third-party, but by an employee of Techiva, who was acting as a data processor on behalf of TripBliss Inc. As the data controller, TripBliss Inc. is responsible for ensuring that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with the GDPR (Art 28 of GDPR). The sensitivity of the data categories is not relevant for the notification obligation, as any personal data breach could pose a risk to the data subjects, depending on the circumstances. The GDPR does not provide a threshold for the sensitivity of the data, but rather requires a case-by-case assessment of the potential impact of the breach.Â References:

GDPR, Art 33, Art 34, Art 28

Free CIPP/E Study Guide, p. 15

European Data Protection Law & Practice, p. 123-124

Personal data breach notification under the GDPR

Question # 69

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the clubâ€™s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissionerâ€™s Office (â€˜ICOâ€™ â€“ the U.K.â€™s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFITâ€™s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javierâ€™s request, how may Javier proceed in order to seek compensation?

He will have to sue the EVETFITâ€™s head office in France, where EVETFIT has its main establishment.

He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.

He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.

He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

Full Access

Question # 70

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the companyâ€™s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his fatherâ€™s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the companyâ€™s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customersâ€™ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customerâ€™s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friendâ€™s daughter, Alice, who just graduated from law school in the U.S., to be the companyâ€™s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the companyâ€™s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the companyâ€™s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyoneâ€™s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

The Court of Justice of the European Union.

The European Data Protection Board.

The Data Protection Authority.

The European Commission.

Full Access

Answer:

Explanation:

Binding Corporate Rules (BCRs) are a data transfer mechanism under the GDPR that allow multinational companies to transfer personal data within their group entities outside the EU, provided that they comply with the data protection principles and rights of the GDPR. BCRs are internal codes of conduct that must be legally binding and enforced by every member of the group.

According to Article 47 of the GDPR, BCRs must be approved by the competent Data Protection Authority (DPA) in the EU, following the consistency mechanism set out in Article 63 of the GDPR. This means that the DPA that receives the application for approval of the BCRs must communicate its draft decision to the European Data Protection Board (EDPB), which will issue its opinion on the BCRs. The EDPB is an independent body composed of representatives of the national DPAs and the European Data Protection Supervisor. The EDPB ensures the consistent application of the GDPR across the EU and issues guidelines, recommendations, and best practices on various aspects of the GDPR.

Therefore, the data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from the Data Protection Authority, which is the supervisory authority responsible for authorising and monitoring the BCRs. The company cannot rely on the BCRs as a valid legal basis for transferring personal data from the EU to the US without the DPAâ€™s approval.

The other options are not correct, as they are not the authorities that approve the BCRs under the GDPR. The Court of Justice of the European Union (CJEU) is the judicial body of the EU that interprets and applies EU law and ensures its uniformity across the EU. The CJEU does not approve the BCRs, but it may rule on the validity or interpretation of the GDPR or other EU laws that affect data protection. The European Data Protection Board (EDPB) is an independent body that ensures the consistent application of the GDPR and issues opinions on the BCRs, but it does not approve them. The EDPBâ€™s opinions are not binding, but they must be taken into account by the DPAs. The European Commission is the executive branch of the EU that proposes and implements EU laws and policies. The European Commission does not approve the BCRs, but it may adopt adequacy decisions that recognise that a third country or an international organisation ensures an adequate level of data protection, which is another data transfer mechanism under the GDPR.

References:

GDPR

Binding Corporate Rules (BCR)

Binding Corporate Rules - PwC

Binding Corporate Rules - GDPR Summary

A Guide for Binding Corporate Rules - Hunton Andrews Kurth

Personal data transfers: binding corporate rules (BCRs) under the GDPR

Question # 71

Article 5(1)(b) of the GDPR states that personal data must be â€œcollected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.â€ Based on Article 5(1)(b),

what is the impact of a member stateâ€™s interpretation of the word â€œincompatibleâ€?

It dictates the level of security a processor must follow when using and storing personal data for two different purposes.

It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.

It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Full Access

Question # 72

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company Bâ€™s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company Aâ€™s factories. Company B wonâ€™t hold any biometric data itself, but the related data will be uploaded to Company Bâ€™s UK servers and used to provide the payroll service. Company Bâ€™s live systems will contain the following information for each of Company Aâ€™s employees:

Name

Address

Date of Birth

Payroll number

National Insurance number

Sick pay entitlement

Maternity/paternity pay entitlement

Holiday entitlement

Pension and benefits contributions

Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isnâ€™t sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesnâ€™t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company Bâ€™s live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company Câ€™s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company Câ€™s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company Aâ€™s employees is visible to anyone visiting Company Câ€™s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a companyâ€™s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

Hiring companies whose measures are consistent with recommendations of accrediting bodies.

Requesting advice and technical support from Company Aâ€™s IT team.

Avoiding the use of another companyâ€™s data to improve their own services.

Vetting companiesâ€™ measures with the appropriate supervisory authority.

Full Access