A Review Of 100% Correct CIPP-E Practice Exam

NEW QUESTION 1
There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

• A. Consent management and withdrawal.
• B. Incident detection and response.
• C. Preventative security.
• D. Remedial security.

Answer: A

NEW QUESTION 2
An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data.
Which of the following best explain why this practice would NOT be subject to the GDPR?

• A. Body temperature is not considered personal data.
• B. The practice does not involve completion by automated means.
• C. Body temperature is considered pseudonymous data.
• D. The practice is for the purpose of alleviating extreme risks to public health.

Answer: B

NEW QUESTION 3
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

• A. Binding Corporate Rules are especially recommended for small and medium companies.
• B. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
• C. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
• D. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Answer: C

NEW QUESTION 4
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to
Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B’s actions would NOT be likely to trigger a potential enforcement action?

• A. Their omission of data protection provisions in their contract with Company C.
• B. Their failure to provide sufficient security safeguards to Company A’s data.
• C. Their engagement of Company C to improve their payroll service.
• D. Their decision to operate without a data protection officer.

Answer: C

NEW QUESTION 5
What was the aim of the European Data Protection Directive 95/46/EC?

• A. To harmonize the implementation of the European Convention of Human Rights across all member states.
• B. To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.
• C. To completely prevent the transfer of personal data out of the European Union.
• D. To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.

Answer: B

NEW QUESTION 6
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

• A. Protection of the interests of the data subjects.
• B. Performance of a contact
• C. Legitimate interest
• D. Consent

Answer: D

NEW QUESTION 7
Which of the following is one of the supervisory authority’s investigative powers?

• A. To notify the controller or the processor of an alleged infringement of the GDPR.
• B. To require that controllers or processors adopt approved data protection certification mechanisms.
• C. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
• D. To require data controllers to provide them with written notification of all new processing activities.

Answer: A

NEW QUESTION 8
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

• A. The company isn’t a controller established in the Union.
• B. The laptop belonged to a company located in Canada.
• C. The data isn’t considered personally identifiable financial information.
• D. There is no evidence that the thieves have accessed the data on the laptop.

Answer: A

NEW QUESTION 9
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

• A. The local Data Protection Supervisory Authorities.
• B. The European Data Protection Board.
• C. The EU Commission.
• D. The Member States.

Answer: D

NEW QUESTION 10
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
What is one potential problem Vigotron’s age policy might encounter under the GDPR?

• A. Age restrictions are more stringent when health data is involved.
• B. Users are only required to be aged 13 or over to be considered adults.
• C. Organizations must make reasonable efforts to verify parental consent.
• D. Organizations that tie a service to marketing must seek consent for each purpose.

Answer: A

NEW QUESTION 11
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

• A. The ability to enact new laws by executive order.
• B. The right to access data for investigative purposes.
• C. The discretion to carry out goals of elected officials within the member state.
• D. The authority to select penalties when a controller is found guilty in a court of law.

Answer: B

NEW QUESTION 12
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?

• A. Law firm organizations.
• B. Civil society organizations.
• C. Human rights organizations.
• D. Constitutional rights organizations.

Answer: A

NEW QUESTION 13
When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

• A. When the data has been pseudonymized.
• B. When the data is protected by technological safeguards.
• C. When the data serves legitimate interest of third parties.
• D. When the data subject has failed to use a provided opt-out mechanism.

Answer: C

NEW QUESTION 14
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

• A. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
• B. When it has been determined that adequate protection can be performed.
• C. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
• D. Only as a last resort and when interpreted restrictively.

Answer: B

NEW QUESTION 15
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

• A. Documenting due diligence steps taken in the pre-contractual stage.
• B. Conducting a risk assessment to analyze possible outsourcing threats.
• C. Requiring that the processor directly notify the appropriate supervisory authority.
• D. Maintaining evidence that the processor was the best possible market choice available.

Answer: A

NEW QUESTION 16
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper’s website. Unfortunately, the prank is the top search result when a user searches on the victim’s name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

• A. Notify the newspaper that its article it is delisting the article.
• B. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject’s name.
• C. Identify other controllers who are processing the same information and inform them of the delisting request.
• D. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer: A

NEW QUESTION 17
Which of the following was the first legally binding international instrument in the area of data protection?

• A. Convention 108.
• B. General Data Protection Regulation.
• C. Universal Declaration of Human Rights.
• D. EU Directive on Privacy and Electronic Communications.

Answer: A

NEW QUESTION 18
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

• A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.
• B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.
• C. Demonstrate that the profiling is for the purposes of direct marketing.
• D. Consider the importance of the profiling to their particular objective.

Answer: C

NEW QUESTION 19
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?

• A. To encourage the consistency of local data processing activity.
• B. To give corporations a choice about who their supervisory authority will be.
• C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
• D. To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.

Answer: A

NEW QUESTION 20
......