ExamGecko
Login
Home / IAPP / CIPP-E / List of questions
Ask Question

IAPP CIPP-E Practice Test - Questions Answers, Page 6

Add to Whishlist

List of questions

Question 51

Report Export Collapse

How does the GDPR now define "processing''?

Any act involving the collecting and recording of personal data.

Any act involving the collecting and recording of personal data.

Any operation or set of operations performed on personal data or on sets of personal data.

Any operation or set of operations performed on personal data or on sets of personal data.

Any use or disclosure of personal data compatible with the purpose for which the data was collected.

Any use or disclosure of personal data compatible with the purpose for which the data was collected.

Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Suggested answer: B
Explanation:

The GDPR defines processing as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" (Article 4(2)). This is a broad definition that covers almost any activity involving personal data, regardless of the method or means used. The GDPR also specifies that processing should be lawful, fair and transparent, and should respect the principles of data protection by design and by default (Article 5).Reference:CIPP/E Certification - International Association of Privacy Professionals,Free CIPP/E Study Guide - International Association of Privacy Professionals, [GDPR - EUR-Lex]

I hope this helps. If you have any other questions, please let me know.

asked 22/11/2024
Chien Fang
47 questions

Question 52

Report Export Collapse

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

The controller will be liable to pay an administrative fine

The controller will be liable to pay an administrative fine

The processor will be liable to pay compensation to affected data subjects

The processor will be liable to pay compensation to affected data subjects

The processor will be considered to be a controller in respect of the processing concerned

The processor will be considered to be a controller in respect of the processing concerned

The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Suggested answer: C
Explanation:

According to the UK GDPR, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller1.A processor must act only on the documented instructions of the controller and must not process the data for its own purposes or in a way that is incompatible with the controller's purposes1.If a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller, it will be considered to be a controller in respect of that processing and will be subject to the same obligations and liabilities as a controller under the UK GDPR1.This means that the processor will have to comply with the data protection principles, ensure the rights of data subjects, implement appropriate technical and organisational measures, report data breaches, conduct data protection impact assessments, appoint a data protection officer if required, and cooperate with the supervisory authority1.The processor will also be exposed to the risk of administrative fines, compensation claims, and reputational damage1.Reference:1

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/what-are-controllers-and-processors/

asked 22/11/2024
Sean Frenette
44 questions

Question 53

Report Export Collapse

According to the GDPR, how is pseudonymous personal data defined?

Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.

Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.

Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Data that has been encrypted or is subject to other technical safeguards.

Data that has been encrypted or is subject to other technical safeguards.

Suggested answer: A
Explanation:

Pseudonymisation is a technique that replaces, removes or transforms information that identifies individuals, and keeps that information separate from the rest of the data. Pseudonymised data is still personal data under the GDPR, because it can be re-identified with the use of additional information. However, pseudonymisation can reduce the risks of processing personal data and help comply with data protection principles and obligations. Pseudonymisation is different from anonymisation, which is the process of irreversibly transforming personal data so that the data subject is no longer identifiable.Reference:

GDPR Article 4(5), which defines pseudonymisation.

GDPR Recital 26, which explains the difference between pseudonymisation and anonymisation.

EDPS blog post, which provides an overview of pseudonymisation and its benefits.

ICO guidance, which gives practical advice on how to implement pseudonymisation.

asked 22/11/2024
Vilfride Lutumba
45 questions

Question 54

Report Export Collapse

Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

When the personal data is processed only in non-electronic form

When the personal data is processed only in non-electronic form

When the personal data is collected and then pseudonymised by the controller

When the personal data is collected and then pseudonymised by the controller

When the personal data is held by the controller but not processed for further purposes

When the personal data is held by the controller but not processed for further purposes

When the personal data is processed by an individual only for their household activities

When the personal data is processed by an individual only for their household activities

Suggested answer: D
Explanation:

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system1.However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity2. This means that individuals can process personal data without being subject to the GDPR, as long as the processing is not related to a professional or commercial activity.For example, the GDPR does not apply to an individual who keeps a personal address book or who posts photos of their family and friends on a social media platform, as long as the platform is not used for business purposes3.Reference:1: Article 2(1) of the GDPR2: Article 2(2) of the GDPR3: Recital 18 of the GDPR

asked 22/11/2024
Andre Passos
44 questions

Question 55

Report Export Collapse

According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

Where the technology supporting the website is located

Where the technology supporting the website is located

Where the website is accessed

Where the website is accessed

Where the decisions about processing are made

Where the decisions about processing are made

Where the customer's Internet service provider is located

Where the customer's Internet service provider is located

Suggested answer: C
Explanation:

According to the E-Commerce Directive 2000/31/EC, the place of establishment for a company providing services via an Internet website is the place where the service provider effectively pursues an economic activity through a fixed establishment for an indefinite period of time. The presence and use of the technical means and technologies required to provide the service do not, in themselves, constitute an establishment of the provider. The place of establishment is determined by the place where the decisions about processing are made, not by the place where the technology supporting the website is located, where the website is accessed, or where the customer's Internet service provider is located. This is confirmed by the GDPR, which applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.Reference:

E-Commerce Directive 2000/31/EC, Article 2(a), Recital 191

GDPR, Article 3(1)2

asked 22/11/2024
Babatunde Ipaye
48 questions

Question 56

Report Export Collapse

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrock's obligation in regard to Louis's data portability request?

Bedrock does not have a duty to transfer Louis's data to Zantrum if doing so is legitimately not technically feasible.

Bedrock does not have a duty to transfer Louis's data to Zantrum if doing so is legitimately not technically feasible.

Bedrock does not have to transfer Louis's data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

Bedrock does not have to transfer Louis's data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Suggested answer: B
asked 22/11/2024
jonathan jaramillo
36 questions

Question 57

Report Export Collapse

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

If Accidentable is entitled to use of the data as an affiliate of Bedrock.

If Accidentable is entitled to use of the data as an affiliate of Bedrock.

If Accidentable also uses the data to conduct public health research.

If Accidentable also uses the data to conduct public health research.

If the data becomes necessary to defend Accidentable's legal rights.

If the data becomes necessary to defend Accidentable's legal rights.

If the accuracy of the data is not an aspect that Louis is disputing.

If the accuracy of the data is not an aspect that Louis is disputing.

Suggested answer: A
asked 22/11/2024
justin staley
39 questions

Question 58

Report Export Collapse

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.

A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.

A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.

A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.

A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.

A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.

A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.

A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.

Suggested answer: D
Explanation:

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.

In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject's rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject's sensitive medical information without their knowledge or consent.Reference:

Article 4 (15) and Article 9 of the GDPR

Health data | ICO

What does the GDPR mean for personal data in medical reports?

Sensitive data and medical confidentiality - FutureLearn

Health data and data privacy: storing sensitive data under GDPR

asked 22/11/2024
Paola Aguirre
47 questions

Question 59

Report Export Collapse

With the issue of consent, the GDPR allows member states some choice regarding what?

Become a Premium Member for full access
  Unlock Premium Member

Question 60

Report Export Collapse

Which sentence BEST summarizes the concepts of "fairness," "lawfulness" and "transparency'', as expressly required by Article 5 of the GDPR?

Become a Premium Member for full access
  Unlock Premium Member
Total 297 questions
Go to page: of 30
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are the obligations of a processor that engages a sub-processor?
It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3
SCENARIO Please use the following to answer the next question: Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU). People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations. The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform. The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?
Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?
As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his name, and has used the email address registered in your system. What would be the most appropriate way to confirm the identity of the customer?
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?
Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?
SCENARIO Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information -- name, location, and prior purchase history -- with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens. Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms. What is the nature of BHealthy and Natural Insight's relationship?
SCENARIO Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience. When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this. In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact. Why is this company obligated to comply with the GDPR?