IAPP CIPP-E Practice Test - Questions Answers, Page 10
List of questions
Related questions
Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
Monitor and analyze the apps and devices for compliance
Manage application life cycles
Monitor data sharing
An organization should perform these steps to do which of the following?
Pursue a GDPR-compliant Privacy by Design process.
Institute a GDPR-compliant employee monitoring process.
Maintain a secure Bring Your Own Device (BYOD) program.
Ensure cloud vendors are complying with internal data use policies.
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?
Notify the appropriate data protection authority.
Perform a data protection impact assessment (DPIA).
Create an information retention policy for those who operate the system.
Ensure that safeguards are in place to prevent unauthorized access to the footage.
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?
Assessed potential privacy risks by conducting a data protection impact assessment.
Consulted with the relevant data protection authority about potential privacy violations.
Distributed a more comprehensive notice to employees and received their express consent.
Consulted with the Information Security team to weigh security measures against possible server impacts.
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?
Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?
Information about what is specified in the employment contract.
Information about who employees should contact with any queries.
Information about how providing consent could affect them as employees.
Information about how the measures are in the best interests of the company.
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?
A company wants to combine location data with other data in order to offer more personalized service for the customer.
A company wants to use location data to infer information on a person's clothes purchasing habits.
A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
A company wants to use location data to track delivery trucks in order to make the routes more efficient.
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?
When creating an untargeted pop-up ad on a website.
When calling a potential customer to notify her of an upcoming product sale.
When emailing a customer to announce that his recent order should arrive earlier than expected.
When paying a search engine company to give prominence to certain products and services within specific search results.
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?
A prior opt-in consent for consumers unless they are already customers.
A pre-checked box stating that the consumer agrees to receive email marketing.
A notice that the consumer's email address will be used for marketing purposes.
No prior permission required, but an opt-out requirement on all emails sent to consumers.
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?
When an individual has not consented to the marketing.
When an individual's details are obtained from their inquiries about buying a product.
Where an individual's details have been obtained from a bought-in marketing list.
Where an individual is given the ability to unsubscribe from marketing emails sent to him.
What should a controller do after a data subject opts out of a direct marketing activity?
Without exception, securely delete all personal data relating to the data subject.
Without undue delay, provide information to the data subject on the action that will be taken.
Refrain from processing personal data relating to the data subject for the relevant type of communication.
Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.
Question