ExamGecko
Search Search Login
Home Home / IAPP / CIPP-E
Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment. Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?
SCENARIO Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR. ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data. What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
The Planet 49 CJEU Judgement applies to?
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?
SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

Question 170 - CIPP-E discussion

Report
Export

SCENARIO

Please use the following to answer the next question:

Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.

Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.

What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

A.

Conduct analysis only on anonymized personal data.

Answers
A.

Conduct analysis only on anonymized personal data.

B.

Conduct analysis only on pseudonymized personal data.

Answers
B.

Conduct analysis only on pseudonymized personal data.

C.

Delete all data collected prior to May 2018 after conducting the trend analysis.

Answers
C.

Delete all data collected prior to May 2018 after conducting the trend analysis.

D.

Procure a third party to conduct the analysis and delete the data from Market4U's systems.

Answers
D.

Procure a third party to conduct the analysis and delete the data from Market4U's systems.

Suggested answer: B

Explanation:

According to the GDPR, pseudonymization is a technique that replaces or removes information in a data set that identifies an individual.Pseudonymized data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately and subject to technical and organizational measures to ensure non-attribution1.Pseudonymization is not a method of anonymization, which means that the data is irreversibly altered in such a way that a data subject can no longer be identified2.Pseudonymized data is still considered personal data and subject to the GDPR, but it benefits from some relaxations of the rules, such as the possibility of further processing for compatible purposes, the exemption from some data subject rights, and the facilitation of data transfers3.

In this scenario, Market4U is an advertising technology company that collects and processes a large amount of personal data from its contacts, including sensitive data such as birth date and salary. This data can be used to gain insights into the preferences and behavior of its potential customers, as well as to identify trends and opportunities in different industry verticals. However, this data also poses significant risks for Market4U, such as data breaches, non-compliance, reputational damage, and legal liability.Therefore, Market4U needs to apply the principle of data minimization, which means that it should only collect and process the data that is necessary and relevant for its purposes, and delete the data that is no longer needed4.

One of the ways that Market4U can achieve data minimization is by pseudonymizing the personal data that it uses for analysis. By doing so, Market4U can reduce the risks associated with the processing of personal data, while still retaining the utility and value of the data for its purposes.Pseudonymization can also help Market4U to comply with other GDPR principles, such as purpose limitation, storage limitation, and integrity and confidentiality5.Pseudonymization can also enable Market4U to rely on legitimate interests as a legal basis for the processing of personal data for analysis, as long as it conducts a balancing test and respects the rights and interests of the data subjects6.

Therefore, the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U is to conduct analysis only on pseudonymized personal data. This option would allow Market4U to use the data for its legitimate business purposes, without compromising the privacy and security of the data subjects.

The other options are incorrect because:

A) Conducting analysis only on anonymized personal data would not be feasible or effective for Market4U, as anonymization is a very difficult and complex process that requires the removal or alteration of any information that can identify an individual, directly or indirectly. Anonymization may also result in the loss of accuracy, quality, and utility of the data, which would undermine the value and purpose of the analysis.Moreover, anonymization is irreversible, which means that Market4U would not be able to restore the original data if needed2.

C) Deleting all data collected prior to May 2018 after conducting the trend analysis would not be compliant with the GDPR, as it would violate the principle of storage limitation, which requires that personal data should be kept only for as long as necessary for the purposes for which it is processed. Market4U cannot justify the retention of the data for longer than needed, especially if the data is outdated, irrelevant, or excessive.Moreover, deleting the data after the analysis would not eliminate the risks associated with the processing of the data, such as data breaches or unauthorized access4.

D) Procuring a third party to conduct the analysis and delete the data from Market4U's systems would not be a good solution for Market4U, as it would involve the transfer of personal data to another data controller or processor, which would require additional safeguards and obligations under the GDPR. Market4U would still be responsible for ensuring the compliance and security of the data, and would have to enter into a data processing agreement with the third party, as well as inform and obtain the consent of the data subjects, if applicable.Furthermore, procuring a third party would entail additional costs and risks for Market4U, such as losing control and visibility over the data, or exposing the data to unauthorized or unlawful processing by the third party7.

Show Answer
asked 22/11/2024
charles ratchagaraj
43 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms