Certbus > IAPP > Certified Information Privacy Professional > CIPP-E > CIPP-E Online Practice Questions and Answers

CIPP-E Online Practice Questions and Answers

Questions 4

Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?

A. Choose the data protection officer that is most sympathetic to their business concerns.

B. Designate their main establishment in member state with the most flexible practices.

C. File appeals of infringement judgments with more than one EU institution simultaneously.

D. Select third-party processors on the basis of cost rather than quality of privacy protection.

Browse 283 Q&As
Questions 5

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

A. Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

B. Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

C. Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

D. Outside the material scope of the GDPR, because transactions are for personal or household purposes

Browse 283 Q&As
Questions 6

When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

A. When the data has been pseudonymized.

B. When the data is protected by technological safeguards.

C. When the data serves legitimate interest of third parties.

D. When the data subject has failed to use a provided opt-out mechanism.

Browse 283 Q&As
Questions 7

If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

A. The individuals are European citizens or residents.

B. The data processing activities are in Spain.

C. The data controller is in France.

D. The EU individuals are targeted.

Browse 283 Q&As
Questions 8

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related

data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:

Name Address Date of Birth Payroll number National Insurance number Sick pay entitlement Maternity/paternity pay entitlement Holiday entitlement Pension and benefits contributions Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical andorganizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

A. Hiring companies whose measures are consistent with recommendations of accrediting bodies.

B. Requesting advice and technical support from Company A's IT team.

C. Avoiding the use of another company's data to improve their own services.

D. Vetting companies' measures with the appropriate supervisory authority.

Browse 283 Q&As
Questions 9

Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

A. The right to privacy is an absolute right

B. The right to privacy has to be balanced against other rights under the ECHR

C. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy

D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

Browse 283 Q&As
Questions 10

Which of the following is NOT a role of works councils?

A. Determining the monetary fines to be levied against employers for data breach violations of employee data.

B. Determining whether to approve or reject certain decisions of the employer that affect employees.

C. Determining whether employees' personal data can be processed or not.

D. Determining what changes will affect employee working conditions.

Browse 283 Q&As
Questions 11

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a salesrepresentative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business. During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories ?age, income, ethnicity ?that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan

to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.

With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

A. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.

B. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.

C. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.

D. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.

Browse 283 Q&As
Questions 12

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories ?age, income, ethnicity ?that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'swebsite, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

A. The resulting obligation to notify data subjects would involve disproportionate effort.

B. The incident resulted from the actions of a third-party that were beyond their control.

C. The destruction of the stolen data makes any risk to the affected data subjects unlikely.

D. The sensitivity of the categories of data involved in the incident was not substantial enough.

Browse 283 Q&As
Questions 13

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

A. Inform the data subject of the security measures in place.

B. Ensure that the receiving entity has signed a data processing agreement.

C. Encrypt the transferred data in transit and at rest.

D. Conduct a data protection impact assessment.

Browse 283 Q&As
Questions 14

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts.

Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can

later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

What is the time period in which Mike should receive a response to his request?

A. Not more than one month of receipt of Mike's request.

B. Not more than two months after verifying Mike's identity.

C. When all the information about Mike has been collected.

D. Not more than thirty days after submission of Mike's request.

Browse 283 Q&As
Questions 15

According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?

A. Data ownership allocation.

B. Access control management.

C. Frequent pseudonymization key rotation.

D. Error propagation avoidance along the processing chain.

Browse 283 Q&As
Questions 16

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?

A. Only where the organization can show that it is reasonable to do so because more than one request was made.

B. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.

C. Only where the administrative costs of taking the action requested exceeds a certain threshold.

D. Only if the organization can demonstrate that the request is clearly excessive or misguided.

Browse 283 Q&As
Questions 17

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

To ensure GDPR compliance, what should be the company's position on the issue of consent?

A. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.

B. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.

C. Consent for data collection is implied through the parent's purchase of the action figure for the child.

D. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.

Browse 283 Q&As
Questions 18

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

A. Incidents of personal data breaches, whether disclosed or not.

B. Data inventory or data mapping exercises that have been conducted.

C. Categories of recipients to whom the personal data have been disclosed.

D. Retention periods for erasure and deletion of categories of personal data.

Browse 283 Q&As
Exam Code: CIPP-E
Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
Last Update: Mar 26, 2024
Questions: 283 Q&As

PDF

$45.99

VCE

$49.99

PDF + VCE

$59.99