ExamGecko
Home Home / IAPP / CIPP-E

IAPP CIPP-E Practice Test - Questions Answers, Page 10

Question list
Search
Search

List of questions

Search

Related questions


SCENARIO Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR. ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data. What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?








SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

Read the following steps:

Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices

Monitor and analyze the apps and devices for compliance

Manage application life cycles

Monitor data sharing

An organization should perform these steps to do which of the following?

A.

Pursue a GDPR-compliant Privacy by Design process.

A.

Pursue a GDPR-compliant Privacy by Design process.

Answers
B.

Institute a GDPR-compliant employee monitoring process.

B.

Institute a GDPR-compliant employee monitoring process.

Answers
C.

Maintain a secure Bring Your Own Device (BYOD) program.

C.

Maintain a secure Bring Your Own Device (BYOD) program.

Answers
D.

Ensure cloud vendors are complying with internal data use policies.

D.

Ensure cloud vendors are complying with internal data use policies.

Answers
Suggested answer: C

Explanation:

The steps listed in the question are part of a best practice framework for implementing a secure BYOD program, which allows employees to use their personal devices to access organizational data and applications. A BYOD program poses significant privacy and security risks, such as data leakage, unauthorized access, malware infection, and compliance violations. Therefore, an organization should follow a comprehensive approach to discover, monitor, manage, and secure the devices, apps, and data involved in a BYOD program. This approach can help the organization meet the GDPR requirements for data protection by design and by default, data security, accountability, and data breach notification.Reference:

Free CIPP/E Study Guide, page 15, section 2.3.3

CIPP/E Certification, page 10, section 1.1.2

Cipp-e Study guides, Class notes & Summaries, document "CIPP/E Exam Summary 2023'', page 42, section 2.3.3

If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

A.

Notify the appropriate data protection authority.

A.

Notify the appropriate data protection authority.

Answers
B.

Perform a data protection impact assessment (DPIA).

B.

Perform a data protection impact assessment (DPIA).

Answers
C.

Create an information retention policy for those who operate the system.

C.

Create an information retention policy for those who operate the system.

Answers
D.

Ensure that safeguards are in place to prevent unauthorized access to the footage.

D.

Ensure that safeguards are in place to prevent unauthorized access to the footage.

Answers
Suggested answer: A

Explanation:

Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation. The other steps are necessary to ensure GDPR compliance, as explained below:

Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large-scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.

Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented.

Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage.Reference:GDPR Article 35,GDPR Article 36,GDPR Article 5,CCTV and video surveillance | ICO,5 Step Guide to Check if Your CCTV is GDPR Compliant

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

A.

Assessed potential privacy risks by conducting a data protection impact assessment.

A.

Assessed potential privacy risks by conducting a data protection impact assessment.

Answers
B.

Consulted with the relevant data protection authority about potential privacy violations.

B.

Consulted with the relevant data protection authority about potential privacy violations.

Answers
C.

Distributed a more comprehensive notice to employees and received their express consent.

C.

Distributed a more comprehensive notice to employees and received their express consent.

Answers
D.

Consulted with the Information Security team to weigh security measures against possible server impacts.

D.

Consulted with the Information Security team to weigh security measures against possible server impacts.

Answers
Suggested answer: A

Explanation:

A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals1.The GDPR requires controllers to conduct a DPIA before starting such processing activities1.In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees' computers, which could affect their privacy and other fundamental rights2.A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities12. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA.Reference:Data Protection Impact Assessment (DPIA) - GDPR.eu,Data protection impact assessments | ICO

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

A.

Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.

A.

Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.

Answers
B.

Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.

B.

Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.

Answers
C.

Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.

C.

Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.

Answers
D.

Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.

D.

Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.

Answers
Suggested answer: C

Explanation:

According to the GDPR, the processing of personal data obtained through monitoring software must be lawful, fair, and transparent. This means that the employer must inform the employees about the nature, extent, and reasons for monitoring, and the possible consequences of non-compliance with the company's policies. The employer must also have a legitimate interest or another lawful basis for processing the employees' data, and respect their rights and freedoms. The employer must also comply with the national laws and guidelines of each member state where it operates, which may impose additional conditions or limitations on employee monitoring. In this case, Building Block did not inform the employee from Italy that the security software would also monitor his computer activity and location, and did not specify the purpose and scope of such monitoring. Therefore, the employee could not reasonably expect that his personal data would be processed in this way, and could not exercise his rights under the GDPR, such as the right to access, rectify, or object to the processing. Moreover, the employer did not conduct a proper assessment of the necessity and proportionality of the monitoring, and did not consider less intrusive alternatives to achieve its security goals. Therefore, the employer could face legal challenges from the employee, the Italian supervisory authority, or the labor courts, if it decides to apply disciplinary measures based on the data obtained through the monitoring software. The employer could also face fines or sanctions for violating the GDPR and the Italian data protection law.Reference:GDPR requirements for employee monitoring: rules to follow,Can Your Organisation Monitor Employees' Personal Communications?,ICO publishes guidance to ensure lawful monitoring in the workplace, [Guidelines on processing personal data in the context of connected vehicles and mobility related applications]

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

A.

Information about what is specified in the employment contract.

A.

Information about what is specified in the employment contract.

Answers
B.

Information about who employees should contact with any queries.

B.

Information about who employees should contact with any queries.

Answers
C.

Information about how providing consent could affect them as employees.

C.

Information about how providing consent could affect them as employees.

Answers
D.

Information about how the measures are in the best interests of the company.

D.

Information about how the measures are in the best interests of the company.

Answers
Suggested answer: B

Explanation:

According to the GDPR, when personal data is collected from the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the contact details of the data protection officer, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the data subject's rights, and any other information necessary to ensure fair and transparent processing1.This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language2. Therefore, Building Block should have provided its employees with information about who they can contact with any queries regarding the monitoring, such as the data protection officer or the Privacy Office, as part of the information notice before implementing the security measures.This would enable the employees to exercise their rights, such as the right to access, rectify, erase, restrict or object to the processing of their personal data, or the right to lodge a complaint with a supervisory authority3.Reference:1Art.13 GDPR -- Information to be provided where personal data are collected from the data subject - General Data Protection Regulation (GDPR)2Art.12 GDPR -- Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)3Art. 15-22 GDPR -- Rights of the data subject - General Data Protection Regulation (GDPR).

Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

A.

A company wants to combine location data with other data in order to offer more personalized service for the customer.

A.

A company wants to combine location data with other data in order to offer more personalized service for the customer.

Answers
B.

A company wants to use location data to infer information on a person's clothes purchasing habits.

B.

A company wants to use location data to infer information on a person's clothes purchasing habits.

Answers
C.

A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.

C.

A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.

Answers
D.

A company wants to use location data to track delivery trucks in order to make the routes more efficient.

D.

A company wants to use location data to track delivery trucks in order to make the routes more efficient.

Answers
Suggested answer: C

Explanation:

According to Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is required when the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies. A DPIA is supposed to show the characteristics of the processing, the risks and the measures adopted to mitigate them. The GDPR also provides some examples of processing operations that require a DPIA, such as:

a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal or significant effects on the data subject;

processing on a large scale of special categories of data or data relating to criminal convictions and offences; or a systematic monitoring of a publicly accessible area on a large scale.

Among the answer choices, only option C falls under the first example, as it involves a systematic and extensive evaluation of personal aspects based on location data and data from third-party sources, which could be used for profiling and matching purposes. This could have significant effects on the data subjects' privacy, personal relationships and reputation. Therefore, a DPIA would be required for this processing operation.

Option A does not necessarily involve a systematic and extensive evaluation of personal aspects, nor does it produce legal or significant effects on the data subject. It could be considered a legitimate interest of the company to offer more personalized service, as long as it respects the principles of data minimization, purpose limitation and transparency.

Option B does not involve a decision based on the processing, nor does it produce legal or significant effects on the data subject. It could be considered a form of direct marketing, which is subject to specific rules under the GDPR and the ePrivacy Directive.

Option D does not involve personal data relating to natural persons, but rather to delivery trucks. Therefore, it does not pose a high risk to the rights and freedoms of natural persons.

GDPR Article 35

Guidelines on DPIA

Art. 35 GDPR - Data protection impact assessment - GDPR.eu

In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

A.

When creating an untargeted pop-up ad on a website.

A.

When creating an untargeted pop-up ad on a website.

Answers
B.

When calling a potential customer to notify her of an upcoming product sale.

B.

When calling a potential customer to notify her of an upcoming product sale.

Answers
C.

When emailing a customer to announce that his recent order should arrive earlier than expected.

C.

When emailing a customer to announce that his recent order should arrive earlier than expected.

Answers
D.

When paying a search engine company to give prominence to certain products and services within specific search results.

D.

When paying a search engine company to give prominence to certain products and services within specific search results.

Answers
Suggested answer: D

Explanation:

The ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) are two EU laws that regulate different aspects of personal data processing. The ePD focuses on electronic communications and the use of cookies and similar technologies, while the GDPR covers the broader principles and rights of data protection. Both laws apply to any organization that processes personal data of individuals in the EU, regardless of where the organization is located.

Option D involves both electronic communication and personal data processing, and therefore requires compliance with both ePD and GDPR. Paying a search engine company to give prominence to certain products and services within specific search results implies the use of cookies or similar technologies to track the online behavior of users and target them with personalized ads. This requires the consent of the users under the ePD, as well as the provision of clear and comprehensive information about the purpose and scope of the data processing. Moreover, the organization must comply with the GDPR requirements for data protection by design and by default, data minimization, data security, data subject rights, and accountability.

Option A only involves the use of cookies or similar technologies, and therefore only requires compliance with the ePD. Creating an untargeted pop-up ad on a website does not involve the processing of personal data, as the ad is not based on the online behavior or preferences of the users. However, the organization must still obtain the consent of the users for the use of cookies or similar technologies, and provide them with clear and comprehensive information about the purpose and scope of the data processing.

Option B only involves the processing of personal data, and therefore only requires compliance with the GDPR. Calling a potential customer to notify her of an upcoming product sale involves the collection and use of the customer's personal data, such as name, phone number, and purchase history. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.

Option C only involves the processing of personal data, and therefore only requires compliance with the GDPR. Emailing a customer to announce that his recent order should arrive earlier than expected involves the use of the customer's personal data, such as name, email address, and order details. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.Reference:

Free CIPP/E Study Guide, page 15, section 2.3.3

CIPP/E Certification, page 10, section 1.1.2

Cipp-e Study guides, Class notes & Summaries, document "CIPP/E Exam Summary 2023'', page 42, section 2.3.3

ePrivacy: The EU's other data protection rule

The New Rules of Data Privacy

A guide to GDPR data privacy requirements

A guide to the data protection principles

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A.

A prior opt-in consent for consumers unless they are already customers.

A.

A prior opt-in consent for consumers unless they are already customers.

Answers
B.

A pre-checked box stating that the consumer agrees to receive email marketing.

B.

A pre-checked box stating that the consumer agrees to receive email marketing.

Answers
C.

A notice that the consumer's email address will be used for marketing purposes.

C.

A notice that the consumer's email address will be used for marketing purposes.

Answers
D.

No prior permission required, but an opt-out requirement on all emails sent to consumers.

D.

No prior permission required, but an opt-out requirement on all emails sent to consumers.

Answers
Suggested answer: A

Explanation:

:Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject's will. However, there is an exception to the consent rule for existing customers, known as the "soft opt-in''. This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:

The company obtained the customer's contact details in the course of a sale or negotiations for a sale of a product or service;

The company only sends marketing messages about its own similar products or services;

The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.

Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

A.

When an individual has not consented to the marketing.

A.

When an individual has not consented to the marketing.

Answers
B.

When an individual's details are obtained from their inquiries about buying a product.

B.

When an individual's details are obtained from their inquiries about buying a product.

Answers
C.

Where an individual's details have been obtained from a bought-in marketing list.

C.

Where an individual's details have been obtained from a bought-in marketing list.

Answers
D.

Where an individual is given the ability to unsubscribe from marketing emails sent to him.

D.

Where an individual is given the ability to unsubscribe from marketing emails sent to him.

Answers
Suggested answer: B

Explanation:

The "soft opt-in" rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals.It applies when the following conditions are met12:

the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;

the sender only sends direct marketing relating to its own similar products or services; and

the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual's details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the "soft opt-in" rule, as they either involve no consent, no prior relationship, or no opt-out mechanism.Reference:Electronic mail marketing | ICO,Direct marketing rules and exceptions under the GDPR

What should a controller do after a data subject opts out of a direct marketing activity?

A.

Without exception, securely delete all personal data relating to the data subject.

A.

Without exception, securely delete all personal data relating to the data subject.

Answers
B.

Without undue delay, provide information to the data subject on the action that will be taken.

B.

Without undue delay, provide information to the data subject on the action that will be taken.

Answers
C.

Refrain from processing personal data relating to the data subject for the relevant type of communication.

C.

Refrain from processing personal data relating to the data subject for the relevant type of communication.

Answers
D.

Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.

D.

Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.

Answers
Suggested answer: C

Explanation:

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject's choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort.Reference:Direct marketing rules and exceptions under the GDPR,Direct marketing and privacy and electronic communications,Marketing and advertising: the law: Direct marketing,Direct Marketing - What you need to know about direct marketing

Total 271 questions
Go to page: of 28