ExamGecko
Search Search Login
Home Home / IAPP / CIPP-E

IAPP CIPP-E Practice Test - Questions Answers, Page 23

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment. Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?
SCENARIO Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR. ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data. What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
The Planet 49 CJEU Judgement applies to?
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?
SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

Question 221

Report
Export
Collapse

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information -- name, location, and prior purchase history -- with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms.

In which case would Natural Insight's use of BHealthy's data for improvement of its algorithms be considered data processor activity?

A.

If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy.

A.

If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy.

Answers
B.

If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

B.

If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

Answers
C.

If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities.

C.

If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities.

Answers
D.

If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities.

D.

If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities.

Answers
Suggested answer: B

Explanation:

According to the General Data Protection Regulation (GDPR), a data processor is a natural or legal person, agency, public authority, or any other body who processes personal data on behalf of a data controller. A data controller is a natural or legal person, agency, public authority, or any other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. The GDPR imposes specific obligations and responsibilities on both data controllers and data processors, and requires them to enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

In this scenario, BHealthy is the data controller, as it determines the purpose and means of collecting and sharing its customer information with Natural Insight. Natural Insight is the data processor, as it processes the customer information on behalf of BHealthy for the purpose of determining the price point for BHealthy's new sunscreens. However, Natural Insight also intends to use the customer information for its own purpose of improving its algorithms, which may not be aligned with BHealthy's purpose or instructions. This may constitute a breach of the data processing contract and the GDPR, as the data processor must only process the personal data on documented instructions from the data controller, unless required to do so by EU or member state law (Article 28(3)(a) of the GDPR).

Therefore, the only case in which Natural Insight's use of BHealthy's data for improvement of its algorithms would be considered data processor activity is if Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms. This would mean that BHealthy has given its consent and authorization for Natural Insight to process the data for that specific purpose, and that Natural Insight is acting in accordance with BHealthy's instructions. In this case, Natural Insight would still be bound by the data processing contract and the GDPR, and would have to comply with the other obligations and requirements of a data processor, such as ensuring the security of the data, respecting the conditions for engaging another processor, assisting the data controller in ensuring compliance with the GDPR, and deleting or returning the data to the data controller after the end of the service.

The other options are not valid cases for data processor activity, as they do not involve the data controller's instructions or consent. If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy, it may still be processing the data for a different purpose than the one for which it was collected and shared, and without BHealthy's knowledge or approval. If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities, it may still be violating the data processing contract and the GDPR, as it is not acting on behalf of the data controller, but for its own benefit. If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities, it may still be infringing the data controller's rights and obligations, as it is not the data controller's role to inform the data subjects of the processing activities, and it may not have a lawful basis for processing the data for its own purpose.

GDPR

Data Controllers and Processors - GDPR EU

Who does the UK GDPR apply to? | ICO

What Activities Count as Processing Under the GDPR?

What constitutes data processing? - European Commission

Question 222

Report
Export
Collapse

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

A.

The right to request access to the personal data a controller holds about them.

A.

The right to request access to the personal data a controller holds about them.

Answers
B.

The right to request the deletion of data a controller holds about them.

B.

The right to request the deletion of data a controller holds about them.

Answers
C.

The right to opt-out of the sale of their personal data to third parties.

C.

The right to opt-out of the sale of their personal data to third parties.

Answers
D.

The right to request restriction of processing of personal data, under certain scenarios.

D.

The right to request restriction of processing of personal data, under certain scenarios.

Answers
Suggested answer: C

Explanation:

This is not an explicit right granted to data subjects under the GDPR, as the GDPR does not specifically address the sale of personal data.However, the GDPR does require that data subjects give their consent to any processing of their personal data that is not based on another legal basis, such as a contract or a legal obligation1.Therefore, data subjects have the right to withdraw their consent at any time, and the controller must inform them of this right before obtaining their consent2.The other options are explicit rights granted to data subjects under the GDPR, as they are listed in Chapter 3 of the regulation3.Reference:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

GDPR data subject rights - 8 fundamental & additional rights, paragraph 4

Rights of the data subject - General Data Protection Regulation (GDPR), Article 7

Rights of the data subject - General Data Protection Regulation (GDPR), Chapter 3

Question 223

Report
Export
Collapse

As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

A.

Protection of the interests of the data subjects.

A.

Protection of the interests of the data subjects.

Answers
B.

Performance of a contact

B.

Performance of a contact

Answers
C.

Legitimate interest

C.

Legitimate interest

Answers
D.

Consent

D.

Consent

Answers
Suggested answer: C

Explanation:

According to the GDPR, legitimate interest is one of the possible legal bases for processing personal data, which means that the data controller has a valid reason to process the data that is not overridden by the interests or rights of the data subject1.The GDPR specifically mentions fraud prevention as a potential legitimate interest of the data controller, as it serves both the interests of the online shop and the data subjects who may be victims of fraud1.However, the data controller must conduct a balancing test to ensure that the legitimate interest is not outweighed by the potential harm or intrusion to the data subject's privacy1.The data controller must also provide clear and transparent information to the data subject about the processing of their data for fraud prevention purposes, and respect their right to object to such processing1.

The other options are incorrect because:

A)Protection of the interests of the data subjects is not a legal basis for processing personal data, but rather a condition for processing special categories of personal data under Article 9 of the GDPR2. Moreover, fraud prevention does not necessarily protect the interests of the data subjects, but rather the interests of the online shop and the general public.

B)Performance of a contract is a legal basis for processing personal data that is necessary for the execution or fulfilment of a contract between the data controller and the data subject2. However, fraud prevention is not strictly necessary for the performance of a contract, as it is not directly related to the delivery of goods or services that the data subject has purchased from the online shop.

D)Consent is a legal basis for processing personal data that requires the data subject to give their informed, specific, and freely given agreement to the processing of their data for one or more purposes2. However, consent is not the most appropriate legal basis for fraud prevention, as it may not be freely given by the data subject, who may feel pressured to agree to the processing of their data in order to complete their purchase. Moreover, consent may not be reliable or effective for fraud prevention, as it can be withdrawn by the data subject at any time, or may be given by a fraudster who is not the legitimate owner of the data.

Question 224

Report
Export
Collapse

The Planet 49 CJEU Judgement applies to?

A.

Cookies used only by third parties.

A.

Cookies used only by third parties.

Answers
B.

Cookies that are deemed technically necessary.

B.

Cookies that are deemed technically necessary.

Answers
C.

Cookies regardless of whether the data accessed is personal or not.

C.

Cookies regardless of whether the data accessed is personal or not.

Answers
D.

Cookies where the data accessed is considered as personal data only.

D.

Cookies where the data accessed is considered as personal data only.

Answers
Suggested answer: C

Explanation:

The Planet 49 CJEU Judgement applies to cookies regardless of whether the data accessed is personal or not. The Court of Justice of the European Union (the 'CJEU') delivered this judgement on 1 October 2019, in response to a request for a preliminary ruling from the German Federal Court of Justice (the 'Bundesgerichtshof') . The case concerned the validity of consent for the use of cookies and similar technologies under the e-Privacy Directive and the GDPR.

The CJEU ruled that Article 5 (3) of the e-Privacy Directive, which requires consent for the storage of, or access to, information stored in the user's terminal equipment, applies to any information installed or accessed from an individual's device, regardless of whether it constitutes personal data or not. The Court reasoned that the aim of the provision is to protect the user from interference with his or her private sphere, which may occur irrespective of the nature of the information stored or accessed. Therefore, the consent requirement applies to all cookies and similar technologies, except for those that are strictly necessary for the provision of a service explicitly requested by the user.

The CJEU also clarified that the consent required for cookies under the e-Privacy Directive must comply with the standard of consent under the GDPR, which means that it must be freely given, specific, informed and unambiguous, and given by a clear affirmative action. The Court held that a pre-ticked checkbox does not constitute valid consent, as it does not imply active behaviour by the user. The Court also stated that the user must be provided with clear and comprehensive information about the cookies, including their duration and whether third parties will have access to them.Reference:

Planet 49 Judgment -- takeaways for Cookie Monsters

The Planet 49 decision: Implications for organisations that use cookies

CURIA - List of results

Question 225

Report
Export
Collapse

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A.

It collects data from European Union websites, which constitutes an establishment in the European Union.

A.

It collects data from European Union websites, which constitutes an establishment in the European Union.

Answers
B.

It offers services in the European Union by identifying data subjects in the European Union.

B.

It offers services in the European Union by identifying data subjects in the European Union.

Answers
C.

It collects data from subjects and uses it for automated processing.

C.

It collects data from subjects and uses it for automated processing.

Answers
D.

It monitors the behavior of data subjects in the European Union.

D.

It monitors the behavior of data subjects in the European Union.

Answers
Suggested answer: D

Explanation:

According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Bioface is not established in the Union, but it is collecting photographs of data subjects in the Union and using a facial recognition algorithm to identify them. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR.The other options are not correct because: (A) Bioface does not have any establishment in the Union, as it only collects data from web-based services, which does not imply the existence of stable arrangements in the Union2; (B) Bioface is not offering services in the Union, as it only targets government agencies and companies in the US and Canada, and does not intend to provide its service to data subjects in the Union3; Bioface collects data from subjects and uses it for automated processing, but this is not a sufficient criterion to determine the territorial scope of the GDPR, as it does not relate to the offering of goods or services or the monitoring of behavior in the Union4.Reference:1: Article 3(2) of the GDPR;2:EDPB Guidelines, paragraph 20;3:EDPB Guidelines, paragraph 38;4:EDPB Guidelines, paragraph 50.

Question 226

Report
Export
Collapse

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?


A.

An information security risk by copying the data into a new database.

A.

An information security risk by copying the data into a new database.

Answers
B.

A potential legal liability and financial exposure from its customers.

B.

A potential legal liability and financial exposure from its customers.

Answers
C.

A significant risk to the customers' fundamental rights and freedoms.

C.

A significant risk to the customers' fundamental rights and freedoms.

Answers
D.

A significant risk due to the lack of an informed consent mechanism.

D.

A significant risk due to the lack of an informed consent mechanism.

Answers
Suggested answer: B

Explanation:

According to the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject1.The GDPR also recognizes that the processing of special categories of personal data, such as data revealing political opinions, religious or philosophical beliefs, or data concerning health or sex life, may entail a high risk to the rights and freedoms of natural persons2.Therefore, such data can only be processed under certain conditions, such as when the data subject has given explicit consent, or when the processing is necessary for reasons of substantial public interest3.

In this scenario, Ben had the company collect additional data from its customers, including their philosophical beliefs, political opinions and marital status, without a valid legal basis or a legitimate purpose. He also copied the data of the single customers onto a separate database for his own online dating website, without informing them or obtaining their consent. This processing of special categories of personal data created a significant risk to the customers' fundamental rights and freedoms, such as their right to privacy, dignity, non-discrimination and self-determination. The customers may also suffer from identity theft, fraud, harassment, or unwanted marketing as a result of the unauthorized use of their data. Therefore, Ben's actions constituted the most serious violation of the GDPR in this scenario.

Art. 5 GDPR -- Principles relating to processing of personal data

Recital 51 GDPR -- Protecting sensitive personal data

Art. 9 GDPR -- Processing of special categories of personal data

[Guidelines 3/2019 on processing of personal data through video devices]

I hope this helps you understand the GDPR and data processing better. If you have any other questions, please feel free to ask me.

Question 227

Report
Export
Collapse

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. In preparing the company for its impending lawsuit, Alice's instruction to the company's IT Department violated Article 5 of the GDPR because the company failed to first do what?


A.

Send out consent forms to all of its employees.

A.

Send out consent forms to all of its employees.

Answers
B.

Minimize the amount of data collected for the lawsuit.

B.

Minimize the amount of data collected for the lawsuit.

Answers
C.

Inform all of its employees about the lawsuit.

C.

Inform all of its employees about the lawsuit.

Answers
D.

Encrypt the data from all of its employees.

D.

Encrypt the data from all of its employees.

Answers
Suggested answer: A

Question 228

Report
Export
Collapse

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?


A.

Notify its Data Protection Authority about the data breach.

A.

Notify its Data Protection Authority about the data breach.

Answers
B.

Analyze and evaluate the liability for customers in Ireland.

B.

Analyze and evaluate the liability for customers in Ireland.

Answers
C.

Analyze and evaluate all of its breach notification obligations.

C.

Analyze and evaluate all of its breach notification obligations.

Answers
D.

Notify all of its customers that reside in the European Union.

D.

Notify all of its customers that reside in the European Union.

Answers
Suggested answer: B

Explanation:

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

Question 229

Report
Export
Collapse

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?


A.

The Court of Justice of the European Union.

A.

The Court of Justice of the European Union.

Answers
B.

The European Data Protection Board.

B.

The European Data Protection Board.

Answers
C.

The Data Protection Authority.

C.

The Data Protection Authority.

Answers
D.

The European Commission.

D.

The European Commission.

Answers
Suggested answer: B

Explanation:

Binding Corporate Rules (BCRs) are a data transfer mechanism under the GDPR that allow multinational companies to transfer personal data within their group entities outside the EU, provided that they comply with the data protection principles and rights of the GDPR. BCRs are internal codes of conduct that must be legally binding and enforced by every member of the group.

According to Article 47 of the GDPR, BCRs must be approved by the competent Data Protection Authority (DPA) in the EU, following the consistency mechanism set out in Article 63 of the GDPR. This means that the DPA that receives the application for approval of the BCRs must communicate its draft decision to the European Data Protection Board (EDPB), which will issue its opinion on the BCRs. The EDPB is an independent body composed of representatives of the national DPAs and the European Data Protection Supervisor. The EDPB ensures the consistent application of the GDPR across the EU and issues guidelines, recommendations, and best practices on various aspects of the GDPR.

Therefore, the data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from the Data Protection Authority, which is the supervisory authority responsible for authorising and monitoring the BCRs. The company cannot rely on the BCRs as a valid legal basis for transferring personal data from the EU to the US without the DPA's approval.

The other options are not correct, as they are not the authorities that approve the BCRs under the GDPR. The Court of Justice of the European Union (CJEU) is the judicial body of the EU that interprets and applies EU law and ensures its uniformity across the EU. The CJEU does not approve the BCRs, but it may rule on the validity or interpretation of the GDPR or other EU laws that affect data protection. The European Data Protection Board (EDPB) is an independent body that ensures the consistent application of the GDPR and issues opinions on the BCRs, but it does not approve them. The EDPB's opinions are not binding, but they must be taken into account by the DPAs. The European Commission is the executive branch of the EU that proposes and implements EU laws and policies. The European Commission does not approve the BCRs, but it may adopt adequacy decisions that recognise that a third country or an international organisation ensures an adequate level of data protection, which is another data transfer mechanism under the GDPR.

GDPR

Binding Corporate Rules (BCR)

Binding Corporate Rules - PwC

Binding Corporate Rules - GDPR Summary

A Guide for Binding Corporate Rules - Hunton Andrews Kurth

Personal data transfers: binding corporate rules (BCRs) under the GDPR

Question 230

Report
Export
Collapse

Which of the following is an accurate statement regarding the 'one-stop-shop' mechanism of the GDPR?

A.

It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.

A.

It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.

Answers
B.

It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings

B.

It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings

Answers
C.

It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.

C.

It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.

Answers
D.

It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.

D.

It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.

Answers
Suggested answer: D

Explanation:

The "one-stop-shop" mechanism of the GDPR is a system of co-operation and consistency procedures that aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the data protection authorities (DPAs) across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR1.The "one-stop-shop" mechanism applies to organisations that conduct cross-border data processing, which means that they process personal data in the context of the activities of their establishments in more than one member state, or that they target or monitor data subjects in more than one member state1.Under the "one-stop-shop" mechanism, such organisations will have to deal primarily with the DPA of the member state where they have their main establishment or their single establishment in the EU, which will act as their lead supervisory authority for all matters related to their cross-border data processing1.The lead supervisory authority will co-ordinate with other concerned supervisory authorities, which are the DPAs of the member states where the data subjects are affected by the data processing1.The lead supervisory authority will have the competence to adopt binding decisions regarding measures to ensure compliance with the GDPR, such as imposing administrative fines or ordering the suspension of data flows1.However, the "one-stop-shop" mechanism does not prevent the concerned supervisory authorities from acting against organisations in exceptional cases, even if they do not have any type of establishment in the member state of the respective authority1.These exceptional cases include the following situations2:

When a complaint is lodged with a supervisory authority, the subject matter relates only to an establishment in its member state or substantially affects data subjects only in its member state;

When a supervisory authority is addressing a possible infringement related to the offering of goods or services to data subjects in its member state or to the monitoring of their behaviour in its member state;

When a supervisory authority adopts provisional measures intended to produce legal effects in its own member state;

When an urgent need to act arises in order to protect the rights and freedoms of data subjects. In these cases, the concerned supervisory authority will inform the lead supervisory authority and the other concerned supervisory authorities, and will try to reach a consensus on the action to be taken2.If no consensus is reached, the consistency mechanism will apply, which involves the intervention of the European Data Protection Board (EDPB) to issue a binding decision on the matter2. Therefore, option D is the correct answer.Reference:Art. 60 GDPR -- Cooperation between the lead supervisory authority and the other supervisory authorities concerned,Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Total 271 questions
Go to page: of 28
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms