ExamGecko
Search Search Login
Home Home / IAPP / CIPP-E

IAPP CIPP-E Practice Test - Questions Answers, Page 26

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment. Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?
SCENARIO Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR. ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data. What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
The Planet 49 CJEU Judgement applies to?
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?
SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

Question 251

Report
Export
Collapse

Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment.

Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?

A.

Permit Jerry to carry out his plan on the basis of marketing similar products to existing customers.

A.

Permit Jerry to carry out his plan on the basis of marketing similar products to existing customers.

Answers
B.

Require Jerry to send all current customers a second notice to allow them to opt-in to marketing emails

B.

Require Jerry to send all current customers a second notice to allow them to opt-in to marketing emails

Answers
C.

Permit Jerry to carry out his marketing plan on the basis of legitimate interest

C.

Permit Jerry to carry out his marketing plan on the basis of legitimate interest

Answers
D.

Require Jerry to include an option to opt out of marketing emails in the future

D.

Require Jerry to include an option to opt out of marketing emails in the future

Answers
Suggested answer: B

Question 252

Report
Export
Collapse

A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property

Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?

A.

The surveillance camera system can potentially capture biometric information of the homeowner's family, which would be considered a processing of special categories of personal data.

A.

The surveillance camera system can potentially capture biometric information of the homeowner's family, which would be considered a processing of special categories of personal data.

Answers
B.

The homeowner has not specified which security measures ore in place as part of the surveillance camera system

B.

The homeowner has not specified which security measures ore in place as part of the surveillance camera system

Answers
C.

The GDPR specifically excludes surveillance camera images from the household exemption

C.

The GDPR specifically excludes surveillance camera images from the household exemption

Answers
D.

The surveillance camera system can potentially film individuals who enter its filming perimeter

D.

The surveillance camera system can potentially film individuals who enter its filming perimeter

Answers
Suggested answer: A

Question 253

Report
Export
Collapse

Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?

A.

It should be fair.

A.

It should be fair.

Answers
B.

It should be lawful

B.

It should be lawful

Answers
C.

It should prevent harm

C.

It should prevent harm

Answers
D.

It should respect human autonomy.

D.

It should respect human autonomy.

Answers
Suggested answer: B

Question 254

Report
Export
Collapse

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

A.

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

A.

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

Answers
B.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

B.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

Answers
C.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

C.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

Answers
D.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

D.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

Answers
Suggested answer: C

Question 255

Report
Export
Collapse

After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company notify first under GDPR requirements?

A.

Any parents of children whose personal data was compromised.

A.

Any parents of children whose personal data was compromised.

Answers
B.

Any affected customers whose data was compromised.

B.

Any affected customers whose data was compromised.

Answers
C.

A competent supervisory authority.

C.

A competent supervisory authority.

Answers
D.

A local law enforcement agency

D.

A local law enforcement agency

Answers
Suggested answer: B

Question 256

Report
Export
Collapse

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

A.

They are allowed if determined to be technically necessary.

A.

They are allowed if determined to be technically necessary.

Answers
B.

They do not amount to valid consent under any circumstances.

B.

They do not amount to valid consent under any circumstances.

Answers
C.

They are allowed if recorded In the register of processing activities.

C.

They are allowed if recorded In the register of processing activities.

Answers
D.

They constitute valid consent if the processing is necessary for purposes of legitimate interest

D.

They constitute valid consent if the processing is necessary for purposes of legitimate interest

Answers
Suggested answer: D

Question 257

Report
Export
Collapse

Higher fines are assessed for GDPR violations due to which of the following?

A.

Failure to notify a supervisory authority and data subjects of a personal data breach

A.

Failure to notify a supervisory authority and data subjects of a personal data breach

Answers
B.

Violations of a data controller's obligations to obtain a child's consent

B.

Violations of a data controller's obligations to obtain a child's consent

Answers
C.

Failure to appoint a data protection officer.

C.

Failure to appoint a data protection officer.

Answers
D.

Violations of a data subject's rights

D.

Violations of a data subject's rights

Answers
Suggested answer: D

Explanation:

The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as the intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements1.The lower tier of fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher1.The lower tier of fines applies to infringements of the GDPR relating to the following aspects1:

The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43;

The obligations of the certification body pursuant to Articles 42 and 43;

The obligations of the monitoring body pursuant to Article 41 (4). The higher tier of fines can be up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher1.The higher tier of fines applies to infringements of the GDPR relating to the following aspects1:

The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9;

The data subjects' rights pursuant to Articles 12 to 22;

The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

Any obligations pursuant to Member State law adopted under Chapter IX;

Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1). Therefore, higher fines are assessed for GDPR violations due to violations of a data subject's rights, as these are among the infringements that fall under the higher tier of fines.Data subjects' rights are the rights granted to individuals whose personal data are processed by controllers or processors, such as the right to access, rectify, erase, restrict, object, or port their data, as well as the right to be informed, to withdraw consent, and to lodge a complaint1. Violations of these rights can cause significant harm to the data subjects and undermine the objectives of the GDPR. Therefore, option D is the correct answer.Reference:Art. 83 GDPR -- General conditions for imposing administrative fines,Article 83 GDPR - GDPRhub

Question 258

Report
Export
Collapse

A company would like to implement CCTV monitoring in its offices for safety and security purposes. Which of the following would be the best legal basis for the company to rely upon?

A.

Public interest.

A.

Public interest.

Answers
B.

Individual consent

B.

Individual consent

Answers
C.

Legitimate interest.

C.

Legitimate interest.

Answers
D.

Exercise of pubic authority.

D.

Exercise of pubic authority.

Answers
Suggested answer: A

Question 259

Report
Export
Collapse

According to the GDPR. Article 4(14). biometric data is defined as:

'Personal data resulting from specific technical processing relating to the______charactenstics of a natural person'

Which term could NOT be placed in the above definition?

A.

Psychological.

A.

Psychological.

Answers
B.

Physical.

B.

Physical.

Answers
C.

Intellectual.

C.

Intellectual.

Answers
D.

Behavioral

D.

Behavioral

Answers
Suggested answer: B

Question 260

Report
Export
Collapse

According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?

A.

The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.

A.

The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.

Answers
B.

The shop operator should provide full notice of the intended video surveillance outside the shop, for example with a sign or a stand-up display.

B.

The shop operator should provide full notice of the intended video surveillance outside the shop, for example with a sign or a stand-up display.

Answers
C.

The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects every time they enter the shop.

C.

The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects every time they enter the shop.

Answers
D.

The shop operator should provide the most important information on a clearly readable warning sign to data subjects before they enter the monitored area, and additional mandatory details by other means.

D.

The shop operator should provide the most important information on a clearly readable warning sign to data subjects before they enter the monitored area, and additional mandatory details by other means.

Answers
Suggested answer: B
Total 271 questions
Go to page: of 28
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms