The Updated Guide To CIPP-E Test

NEW QUESTION 1
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop’s PRIMARY obligation while engaging in this kind of profiling?

• A. It must solicit informed consent through a notice on its website
• B. It must seek authorization from the European supervisory authorities
• C. It must be able to demonstrate a prior business relationship with the customers
• D. It must prove that it uses sufficient security safeguards to protect customer data

Answer: A

NEW QUESTION 2
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

• A. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
• B. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
• C. Since the employee was not informed that the security measures would be used for other purposes suchas monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
• D. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.

Answer: D

NEW QUESTION 3
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

• A. Encrypt the data in transit over the wireless Bluetooth connection.
• B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
• C. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
• D. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.

Answer: A

NEW QUESTION 4
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

• A. The controller will be liable to pay an administrative fine
• B. The processor will be liable to pay compensation to affected data subjects
• C. The processor will be considered to be a controller in respect of the processing concerned
• D. The controller will be required to demonstrate that the unauthorized processing negatively affected oneor more of the parties involved

Answer: B

NEW QUESTION 5
To which of the following parties does the territorial scope of the GDPR NOT apply?

• A. All member countries of the European Economic Area.
• B. All member countries party to the Treaty of Lisbon.
• C. All member countries party to the Paris Agreement.
• D. All member countries of the European Union.

Answer: A

NEW QUESTION 6
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

• A. She was not told which controller would be processing her personal data.
• B. She only viewed the visual representations of the privacy notice Liem provided.
• C. She did not read the privacy notice stating that her personal data would be shared.
• D. She has never made any purchases from JaphSoft and has no relationship with the company.

Answer: C

NEW QUESTION 7
The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

• A. Choose the data protection officer that is most sympathetic to their business concerns.
• B. Designate their main establishment in member state with the most flexible practices.
• C. File appeals of infringement judgments with more than one EU institution simultaneously.
• D. Select third-party processors on the basis of cost rather than quality of privacy protection.

Answer: B

NEW QUESTION 8
What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?

• A. An obligation on the processor to report any personal data breach to the controller within 72 hours.
• B. An obligation on both parties to report any serious personal data breach to the supervisory authority.
• C. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
• D. An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches.

Answer: B

NEW QUESTION 9
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

• A. Legislative powers.
• B. Corrective powers.
• C. Investigatory powers.
• D. Authorization and advisory powers.

Answer: D

NEW QUESTION 10
A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

• A. The school places a notice near each camera.
• B. The school gets explicit consent from the students.
• C. Processing is necessary for the legitimate interests pursed by the school.
• D. A state law requires facial recognition to verify attendance.

Answer: A

NEW QUESTION 11
To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

• A. The Court of Justice of the European Union.
• B. The European Data Protection Supervisor.
• C. The European Court of Human Rights.
• D. The European Data Protection Board.

Answer: A

NEW QUESTION 12
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

• A. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.
• B. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.
• C. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
• D. Liem and EcoMick are joint controllers because they carry out joint marketing activities.

Answer: B

NEW QUESTION 13
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

• A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.
• B. CJEU can force national governments to implement and honor EU law, while the ECHR cannot.
• C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.
• D. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

Answer: B

NEW QUESTION 14
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

• A. The European Parliament
• B. The European Commission
• C. The Article 29 Working Party
• D. The European Council

Answer: B

NEW QUESTION 15
Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which occurs when companies do what?

• A. Choose the data protection officer that is most sympathetic to their business concerns.
• B. Designate their main establishment in member state with the most flexible practices.
• C. File appeals of infringement judgments with more than one EU institution simultaneously.
• D. Select third-party processors on the basis of cost rather than quality of privacy protection.

Answer: B

NEW QUESTION 16
The European Parliament jointly exercises legislative and budgetary functions with which of the following?

• A. The European Commission.
• B. The Article 29 Working Party.
• C. The Council of the European Union.
• D. The European Data Protection Board.

Answer: C

NEW QUESTION 17
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

• A. A voluntary notification for personal data breaches applicable to all data controllers.
• B. A voluntary notification for personal data breaches applicable to electronic communication providers.
• C. A mandatory notification for personal data breaches applicable to all data controllers.
• D. A mandatory notification for personal data breaches applicable to electronic communication providers.

Answer: D

NEW QUESTION 18
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

• A. When she is leaving her bank and moving to another bank.
• B. When she has recently changed jobs and no longer works for the same company.
• C. When she disagrees with a diagnosis her doctor has recorded on her records.
• D. When she no longer wishes to be sent marketing materials from an organization.

Answer: D

NEW QUESTION 19
A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

• A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
• B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
• C. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.
• D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.

Answer: B

NEW QUESTION 20
......