• Home
  • Articles
  • Buy Latest Jan 12, 2025 CIPP-E Exam Q&A PDF - One Year Free Update [Q75-Q99]

Buy Latest Jan 12, 2025 CIPP-E Exam Q&A PDF - One Year Free Update [Q75-Q99]

Share

Buy Latest Jan 12, 2025 CIPP-E Exam Q&A PDF - One Year Free Update

Download the Latest CIPP-E Dump - 2025 CIPP-E Exam Questions

NEW QUESTION # 75
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
For what reason would JaphSoft be considered a controller under the GDPR?

  • A. It has been provided access to personal data in the MarketIQ database.
  • B. It makes decisions regarding the technical and organizational measures necessary to protect the personal data.
  • C. It uses personal data to improve its products and services for its client-base through machine learning.
  • D. It determines how long to retain the personal data collected.

Answer: B


NEW QUESTION # 76
According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

  • A. When processed with the intent to comply with a law.
  • B. When processed with the intent to proceed to scientific or historical research projects.
  • C. When processed with the intent to uniquely identify or authenticate a natural person.
  • D. When processed with the intent to publish information regarding a natural person on publicly accessible media.

Answer: C

Explanation:
Reference:
According to the GDPR, the processing of photographs should not systematically be considered as processing of special categories of personal data, unless they are covered by the definition of biometric data1. Biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification or authentication of that natural person, such as facial images or dactyloscopic data2. Therefore, the processing of photographs is considered processing of special categories of personal data when it involves the use of specific technical means, such as facial recognition, that allow or confirm the unique identification or authentication of a natural person3. Reference: 1: Recital 51 of the GDPR2: Article 4(14) of the GDPR3: GDPR, Photographs, and Special Categories of Personal Data.


NEW QUESTION # 77
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

  • A. Because of the use of personal data outside of the social networking service (SNS).
  • B. Because of the misrepresentation of personal data as an endorsement.
  • C. Because of the juxtaposition of the quotation with others' quotations.
  • D. Because of the misapplication of the household exception in relation to a social networking service (SNS).

Answer: A

Explanation:
The GDPR defines personal data as "any information relating to an identified or identifiable natural person" (Article 4(1)). This includes names, quotations, and any other data that can be linked to a specific individual. The GDPR also requires that personal data be processed lawfully, fairly, and transparently, and that it be collected for specified, explicit, and legitimate purposes (Article 5(1)). Furthermore, the GDPR grants data subjects the right to object to the processing of their personal data for direct marketing purposes or for the purposes of the legitimate interests of the controller or a third party (Article 21).
In this scenario, Serge may have grounds to object to the use of his quotation on Brady Box's home webpage, as it constitutes the processing of his personal data outside of the original purpose for which it was collected. Serge posted the quotation on Brady Box's SNS, which is a separate service from Brady Box's web page design service. By using the quotation on the home webpage, Brady Box is processing Serge's personal data for a different purpose than the one for which Serge provided it, and without his consent or a legitimate interest. This may violate the principles of purpose limitation and lawfulness under the GDPR. Moreover, Serge may object to the use of his quotation as it implies his endorsement of Brady Box's service, which may affect his reputation or interests.
The other options are less likely to be valid grounds for objection, as they are not directly related to the GDPR's provisions on personal data protection. The misrepresentation of personal data as an endorsement may be a matter of contract law or consumer protection law, but not necessarily a GDPR issue. The juxtaposition of the quotation with others' quotations may not affect Serge's rights or interests, unless it creates a false or misleading impression of his views or opinions. The misapplication of the household exception in relation to a SNS may not apply in this case, as the household exception only covers the processing of personal data by a natural person in the course of a purely personal or household activity (Article 2(2)). Serge's posting of the quotation on a SNS may not qualify as a purely personal or household activity, as it involves the disclosure of personal data to a wider audience.
Reference:
GDPR
GDPR and social media
How does GDPR affect social media marketing?
Data Protection & Social Media: How GDPR Influences Today's Social Media Marketing


NEW QUESTION # 78
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage Why is the additional measure recommended by Jackie sufficient foe using UpFinance?

  • A. UpFinance is an established 7-year-old business.
  • B. UpFinance implements sufficient data protection measures
  • C. UpFinance is in a highly regulated financial industry
  • D. UpFinance is based in a country without surveillance laws.

Answer: D


NEW QUESTION # 79
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What are ABC Hotel Chain and XYZ Travel Agency's roles in this relationship?

  • A. ABC Hotel Chain and XYZ Travel Agency are joint controllers.
  • B. ABC Hotel Chain and XYZ Travel Agency are independent controllers.
  • C. XYZ Travel Agency is the controller and ABC Hotel Chain is the processor.
  • D. ABC Hotel Chain is the controller and XYZ Travel Agency is the processor.

Answer: A


NEW QUESTION # 80
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

  • A. Failure to process personal information in a manner compatible with its original purpose.
  • B. Failure to provide the means for a data subject to rectify inaccuracies in personal data.
  • C. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
  • D. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.

Answer: D

Explanation:
According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. Reference:
GDPR Article 83
GDPR Article 25
GDPR Article 7
GDPR Article 5
GDPR Article 16


NEW QUESTION # 81
Higher fines are assessed for GDPR violations due to which of the following?

  • A. Failure to notify a supervisory authority and data subjects of a personal data breach
  • B. Violations of a data controller's obligations to obtain a child's consent
  • C. Violations of a data subject"s rights
  • D. Failure to appoint a data protection officer.

Answer: B


NEW QUESTION # 82
How is the GDPR's position on consent MOST likely to affect future app design and implementation?

  • A. Users will see fewer advertisements when using apps.
  • B. App developers' responsibilities as data controllers will increase.
  • C. App developers will expand the amount of data necessary to collect for an app's functionality.
  • D. Users will be given granular types of consent for particular types of processing.

Answer: D


NEW QUESTION # 83
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

  • A. When she is leaving her bank and moving to another bank.
  • B. When she disagrees with a diagnosis her doctor has recorded on her records.
  • C. When she no longer wishes to be sent marketing materials from an organization.
  • D. When she has recently changed jobs and no longer works for the same company.

Answer: C

Explanation:
Reference https://gdpr-info.eu/art-7-gdpr/


NEW QUESTION # 84
Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?

  • A. The protection of the vital interest of the employees.
  • B. The legal obligation of the employer.
  • C. The consent of the employees.
  • D. The legitimate interest of the public administration.

Answer: B

Explanation:
According to Article 6 of the GDPR, the processing of personal data is only lawful if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In this case, the Spanish employer would most likely depend on the legal obligation of the employer as the lawful basis for sending the personal data of its employees to the national tax authority. This is because the employer is subject to the tax laws and regulations of Spain, which require the employer to report the income and deductions of its employees to the tax authority on an annual basis. The employer must comply with this legal obligation, and the processing of the employees' personal data is necessary for this purpose. The employer does not need to obtain the consent of the employees, as consent is not a valid basis for processing personal data where there is a clear imbalance between the data subject and the controller, such as in the context of employment. The employer also does not need to rely on the legitimate interest of the public administration, as this is not a specific purpose for which the employer is processing the personal data, but rather a general interest that may be served by the tax authority. The employer also does not need to invoke the protection of the vital interest of the employees, as this basis only applies in situations where the processing is necessary to protect someone's life, such as in a medical emergency. Reference: Article 6 GDPR - Lawfulness of processing - General Data Protection Regulation (GDPR), Lawful basis for processing | ICO, Legal obligation as a lawful basis for processing personal data under the GDPR, [Consent in the employment context | ICO], [Vital interests | ICO]


NEW QUESTION # 85
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  • A. Verify that the identity of the customer can be proven by other means.
  • B. Verify that the personal data has not already been sent to the customer.
  • C. Verify that the request is applicable to the data collected before the GDPR entered into force.
  • D. Verify that the purpose of the request from the customer is in line with the GDPR.

Answer: A

Explanation:
According to Article 13 of the GDPR, the controller (in this case, the electricity supplier) has the obligation to provide the data subject (in this case, the customer) with information about the processing of their personal data, including the recipients or categories of recipients of the personal data, if any. However, before providing such information, the controller must verify the identity of the data subject, to ensure that the information is not disclosed to unauthorized persons. This verification can be done by other means than the personal data already collected, such as asking for additional information, sending a verification code, or using a secure online portal. The other options (A, B, and C) are not relevant for this verification, as they do not relate to the identity of the data subject, but to the scope, purpose, and history of the processing. Reference:
Article 13 of the GDPR
The right to be informed (transparency) (Article 13 & 14 GDPR)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)


NEW QUESTION # 86
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

  • A. Inextricably linked in their businesses.
  • B. Bound by a standard contractual clause.
  • C. Supervised by the same Data Protection Officer.
  • D. Consistent with Privacy Shield requirements

Answer: A


NEW QUESTION # 87
Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following?

  • A. Maintain a secure Bring Your Own Device (BYOD) program.
  • B. Pursue a GDPR-compliant Privacy by Design process.
  • C. Institute a GDPR-compliant employee monitoring process.
  • D. Ensure cloud vendors are complying with internal data use policies.

Answer: A

Explanation:
The steps listed in the question are part of a best practice framework for implementing a secure BYOD program, which allows employees to use their personal devices to access organizational data and applications. A BYOD program poses significant privacy and security risks, such as data leakage, unauthorized access, malware infection, and compliance violations. Therefore, an organization should follow a comprehensive approach to discover, monitor, manage, and secure the devices, apps, and data involved in a BYOD program. This approach can help the organization meet the GDPR requirements for data protection by design and by default, data security, accountability, and data breach notification. Reference:
Free CIPP/E Study Guide, page 15, section 2.3.3
CIPP/E Certification, page 10, section 1.1.2
Cipp-e Study guides, Class notes & Summaries, document "CIPP/E Exam Summary 2023", page 42, section 2.3.3


NEW QUESTION # 88
When may browser settings be relied upon for the lawful application of cookies?

  • A. When it is impossible to bypass the choices made by users in their browser settings.
  • B. When users are provided with information about which cookies have been set.
  • C. When users are aware of the ability to adjust their settings.
  • D. When a user rejects cookies that are strictly necessary.

Answer: A

Explanation:
According to the ICO guidance on the use of cookies and similar technologies1, browser settings and other control mechanisms can be relied upon for the lawful application of cookies only if they meet the following conditions:
They are designed to protect users' privacy and provide them with control over the use of cookies and similar technologies; They are prominent and easy to use, and do not require users to take unnecessary steps or provide unnecessary information; They are specific and granular enough to allow users to express their preferences for different types and purposes of cookies and similar technologies; They are sufficiently informed and clear about the cookies and similar technologies that will be set or accessed, and the purposes for which they will be used; They are regularly reviewed and updated to reflect any changes in the cookies and similar technologies that are used or the purposes for which they are used; They are not overridden or circumvented by other software or settings that may interfere with users' choices; They provide an effective means of withdrawing consent at any time.
Therefore, browser settings and other control mechanisms can be a valid way of obtaining consent for cookies and similar technologies, but only if they meet these high standards and ensure that users have a real and meaningful choice over the use of cookies and similar technologies on their devices. Reference: 1 How do we comply with the cookie rules? | ICO. Available at: 4 (Accessed: 11 December 2023).


NEW QUESTION # 89
Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

  • A. Important.
  • B. Proportionate.
  • C. Prudent.
  • D. DPA-approved.

Answer: B

Explanation:
According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences. Reference: 1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.


NEW QUESTION # 90
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

  • A. Third-party data would be disclosed by providing such information to the data subject
  • B. The data subject already has information regarding how his data will be used
  • C. The processing of the data subject's data is protected by appropriate technical measures
  • D. The provision of such information to the data subject would be too problematic

Answer: B

Explanation:
Reference https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide-information-to-the- individual-data-subject/


NEW QUESTION # 91
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

  • A. Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.
  • B. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
  • C. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
  • D. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

Answer: C

Explanation:
The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage. Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33(3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach1. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR. Options B, C and D are incorrect, as they do not comply with the GDPR requirements. Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions3. Option C would misuse the "disproportionate effort" exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technical and organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it4. Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority5. Reference: 1: Article 33(1) of the GDPR 2: Article 4(12) of the GDPR 3: Article 83(4)(a) of the GDPR 4: Article 34(3)(a) of the GDPR 5: Article 34(1) and (2) of the GDPR


NEW QUESTION # 92
Which of the following is the weakest lawful basis for processing employee personal data?

  • A. Processing based on fulfilling an employment contract.
  • B. Processing based on legal obligation.
  • C. Processing based on legitimate interests.
  • D. Processing based on employee consent.

Answer: D

Explanation:
Reference:
According to the GDPR, consent is one of the six lawful bases for processing personal data, but it is not always the most appropriate one. Consent must be freely given, specific, informed and unambiguous, and the data subject must have the right to withdraw it at any time1. In the context of employment, consent is often not a valid lawful basis, because there is a clear imbalance of power between the employer and the employee, which means that the consent is not freely given2. Moreover, consent can be difficult to manage and document, and it can pose practical problems if the employee withdraws it. Therefore, consent is the weakest lawful basis for processing employee personal data, and employers should rely on other lawful bases, such as contract, legal obligation, vital interests, public task or legitimate interests, depending on the purpose and necessity of the processing3. Reference: 1: Article 4(11) and Article 7 of the GDPR; 2: [EDPB Guidelines], page 6; 3: A Guide to Lawful Basis for Processing Employee Personal Data.


NEW QUESTION # 93
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  • A. Requesting advice and technical support from Company A's IT team.
  • B. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • C. Avoiding the use of another company's data to improve their own services.
  • D. Vetting companies' measures with the appropriate supervisory authority.

Answer: B

Explanation:
Reference https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/


NEW QUESTION # 94
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

  • A. There is no evidence that the thieves have accessed the data on the laptop.
  • B. The data isn't considered personally identifiable financial information.
  • C. The laptop belonged to a company located in Canada.
  • D. The company isn't a controller established in the Union.

Answer: D


NEW QUESTION # 95
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

  • A. The ePrivacy Directive
  • B. The EU Cybersecurity Directive
  • C. The E-Commerce Directive
  • D. The Data Retention Directive

Answer: A

Explanation:
The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. Reference:
Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script
EU Cookie Law - Data Protection and Cookies - Cookiebot
ePrivacy Directive - Regulations - Learn how CookiePro Helps


NEW QUESTION # 96
When would a data subject NOT be able to exercise the right to portability?

  • A. When the processing is carried out pursuant to a contract with the data subject.
  • B. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
  • C. When the processing is based on consent.
  • D. When the data was supplied to the controller by the data subject.

Answer: B

Explanation:
Reference https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/individual-rights/right-to-data-portability/


NEW QUESTION # 97
What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

  • A. They do not amount to valid consent under any circumstances.
  • B. They are allowed if determined to be technically necessary.
  • C. They constitute valid consent if the processing is necessary for purposes of legitimate interest
  • D. They are allowed if recorded In the register of processing activities.

Answer: A


NEW QUESTION # 98
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben's collection of additional data from customers created several potential issues for the company, which would most likely require what?

  • A. A data protection impact assessment.
  • B. A comprehensive data inventory.
  • C. New corporate governance and code of conduct.
  • D. Hiring a data protection officer.

Answer: A

Explanation:
Ben's collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:
The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.
The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.
The risk of non-compliance with the GDPR's requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions. Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.
The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company's servers in Vermont, which may not have adequate security measures or safeguards.
Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks. A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3. The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms. Reference:
Free CIPP/E Study Guide, page 32, section 4.1.2
CIPP/E Certification, page 27, section 4.1.2
The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2
Principles - General Data Protection Regulation (GDPR), Article 5
Special categories of personal data - General Data Protection Regulation (GDPR), Article 9 Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35


NEW QUESTION # 99
......


IAPP CIPP-E (Certified Information Privacy Professional/Europe (CIPP/E)) Exam is a globally recognized certification program that aims to equip privacy professionals with the necessary knowledge and skills to effectively manage data privacy risks and compliance requirements in the European Union (EU). Certified Information Privacy Professional/Europe (CIPP/E) certification is designed for privacy professionals who are responsible for ensuring compliance with EU data protection laws and regulations, including the General Data Protection Regulation (GDPR).

 

Verified CIPP-E Dumps Q&As - 1 Year Free & Quickly Updates: https://www.testkingfree.com/IAPP/CIPP-E-practice-exam-dumps.html

Latest IAPP CIPP-E Certification Practice Test Questions: https://drive.google.com/open?id=1QOHhY5X72z4EGkE-5I6kiPgRcEkMkXJ8

Related Articles

more
IAPP CIPP-E Certification Practice Exam