IAPP CIPP-E Practice Test - Questions Answers, Page 24
Question list
List of questions
Related questions
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.
What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
Ruth's implied consent.
Protecting the vital interest of Ruth
Performance of a contract with Ruth.
Protecting against legal liability from Ruth.
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.
What transfer mechanism should Jackie recommend for using InstaHR?
Adequacy
Binding corporate rules.
Explicit consent of employees.
Standard contractual clauses
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.
Why is the additional measure recommended by Jackie sufficient foe using UpFinance?
UpFinance is an established 7-year-old business.
UpFinance is in a highly regulated financial industry
UpFinance is based in a country without surveillance laws.
UpFinance implements sufficient data protection measures
SCENARIO
Please use the following to answer the next question:
Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?
HRYourWay was ultimately not selected
HRYourWay is not located in a third country.
ProStorage will obtain consent for all transfers.
ProStorage can rely on its Binding Corporate Rules
Sanctions for non-compliance with the EU Artificial Intelligence Act (Al Act) could result in a maximum fine of?
The higher of up to 10 million Euro or up to 2% of the entity's total worldwide turnover for the preceding financial year.
The higher of up to 40 million Euro or up to 8% of the entity's total worldwide turnover for the preceding financial year.
The higher of up to 20 million Euro or up to 4% of the entity's total worldwide turnover for the preceding financial year.
The higher of up to 30 million Euro or up to 6% of the entity's total worldwide turnover for the preceding financial year.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the 'party zone' of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Which of the following is NOT necessarily considered a factor in identifying whether the processing could be considered a 'cross-border processing'?
The total number of the data subjects interested.
The potential harm for the data subjects affected.
The limitation of rights of the data subjects concerned.
The exposure of the information of the data subjects involved.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the 'party zone' of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Which of the following principles has likely been violated in the processing of the photocall photos containing personal data?
Adequacy.
Lawfulness.
Transparency.
Data minimization.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the 'party zone' of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Why would consent NOT be considered an adequate legal basis for accessing the party zone?
The consent is not completely unambiguous.
The consent is not sufficiently informed.
The consent is not freely given.
The consent is not in writing.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the 'party zone' of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Assuming that there is a cross-border processing of personal data, which of the following criteria would NOT be useful to the lead supervisory authority responsible for the Greek employee's complaint when trying to determine the location of the controller's main establishment?
Where the controller is registered as a company.
Where the processor is registered as a company.
Where decisions about the processing activities are made.
Where the director with responsibility for processing activities is located.
As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his name, and has used the email address registered in your system.
What would be the most appropriate way to confirm the identity of the customer?
Request that the customer provide his bank account number.
Request that the customer answer additional security questions.
Request a copy of the customer's last bank account statement.
Request a copy of the customer's government-issued ID document.
Question