The Most Up-to-date Guide To CIPP-E Pdf

NEW QUESTION 1
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

• A. Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.
• B. Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
• C. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.
• D. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Answer: B

NEW QUESTION 2
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

• A. Approved data controllers.
• B. The Council of the European Union.
• C. National data protection authorities.
• D. The European Data Protection Supervisor.

Answer: A

NEW QUESTION 3
If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?

• A. Decision 2001/497/EC (EU controller to non-EU or EEA controller).
• B. Decision 2004/915/EC (EU controller to non-EU or EEA controller).
• C. Decision 2007/72/EC (EU processor to non-EU or EEA controller).
• D. Decision 2010/87/EU (Non-EU or EEA processor from EU controller).

Answer: B

NEW QUESTION 4
The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

• A. The recipients or categories of recipients.
• B. The categories of personal data concerned.
• C. The rights of access, erasure, restriction, and portability.
• D. The right to lodge a complaint with a supervisory authority.

Answer: B

NEW QUESTION 5
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data
provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”
“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”
What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

• A. No marketing information at all.
• B. Any marketing information at all.
• C. Marketing information related to other business operations of WonderKids.
• D. Marketing information for products or services similar to those purchased from WonderKids.

Answer: C

NEW QUESTION 6
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

• A. Assessed potential privacy risks by conducting a data protection impact assessment.
• B. Consulted with the relevant data protection authority about potential privacy violations.
• C. Distributed a more comprehensive notice to employees and received their express consent.
• D. Consulted with the Information Security team to weigh security measures against possible server impacts.

Answer: C

NEW QUESTION 7
Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
Monitor and analyze the apps and devices for compliance
Manage application life cycles
Monitor data sharing
An organization should perform these steps to do which of the following?

• A. Pursue a GDPR-compliant Privacy by Design process.
• B. Institute a GDPR-compliant employee monitoring process.
• C. Maintain a secure Bring Your Own Device (BYOD) program.
• D. Ensure cloud vendors are complying with internal data use policies.

Answer: C

NEW QUESTION 8
WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

• A. A postal notification
• B. A direct electronic message
• C. A notice on a corporate blog
• D. A prominent advertisement in print media

Answer: C

NEW QUESTION 9
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

• A. Employees must sign an ad hoc contractual agreement each time personal data is exported.
• B. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
• C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
• D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Answer: C

NEW QUESTION 10
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly
owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

• A. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
• B. If Accidentable also uses the data to conduct public health research.
• C. If the data becomes necessary to defend Accidentable’s legal rights.
• D. If the accuracy of the data is not an aspect that Louis is disputing.

Answer: A

NEW QUESTION 11
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan
to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.
With regard to TripBliss Inc.’s use of website cookies, which of the following statements is correct?

• A. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
• B. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
• C. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
• D. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.

Answer: B

NEW QUESTION 12
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border
transfers?

• A. The European Commission can adopt an adequacy decision for individual companies.
• B. The European Commission can adopt, repeal or amend an existing adequacy decision.
• C. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
• D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

Answer: A

NEW QUESTION 13
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

• A. Both govern international transfers of personal data
• B. Both govern the manual processing of personal data
• C. Both only apply to European Union countries
• D. Both require notification of processing activities to a supervisory authority

Answer: D

NEW QUESTION 14
SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U’s forms?

• A. Make all the fields optional.
• B. Only request the information in brackets (i.e., age group and salary range).
• C. Eliminate the fields, as they are not proportional to the services being offered.
• D. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.

Answer: D

NEW QUESTION 15
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a
multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT Department violated Article 5 of the GDPR because the company failed to first do what?

• A. Send out consent forms to all of its employees.
• B. Minimize the amount of data collected for the lawsuit.
• C. Inform all of its employees about the lawsuit.
• D. Encrypt the data from all of its employees.

Answer: B

NEW QUESTION 16
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

• A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
• B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
• C. Failure to process personal information in a manner compatible with its original purpose.
• D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.

Answer: D

NEW QUESTION 17
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

• A. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
• B. Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce.
• C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
• D. Where the DPIA identifies risks that will require insurance for protecting its business interests.

Answer: B

NEW QUESTION 18
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.
If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

• A. The resulting obligation to notify data subjects would involve disproportionate effort.
• B. The incident resulted from the actions of a third-party that were beyond their control.
• C. The destruction of the stolen data makes any risk to the affected data subjects unlikely.
• D. The sensitivity of the categories of data involved in the incident was not substantial enough.

Answer: B

NEW QUESTION 19
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.
To ensure GDPR compliance, what should be the company’s position on the issue of consent?

• A. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
• B. Written authorization attesting to the responsible use of children’s data would need to be obtained from the supervisory authority.
• C. Consent for data collection is implied through the parent’s purchase of the action figure for the child.
• D. Parental consent for a child’s use of the action figures would have to be obtained before any data could be collected.

Answer: D

NEW QUESTION 20
......