ExamGecko
Search Search Login
Home Home / IAPP / CIPP-E
Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

In relation to third countries and international organizations, which of the following shall, along with the supervisory authorities, take appropriate steps to develop international cooperation mechanisms for the enforcement of data protection legislation?
Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment. Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?
SCENARIO Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR. ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data. What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
The Planet 49 CJEU Judgement applies to?
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?
Select the answer below that accurately completes the following: ''The right to compensation and liability under the GDPR...
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

Question 176 - CIPP-E discussion

Report
Export

A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

A.

The school places a notice near each camera.

Answers
A.

The school places a notice near each camera.

B.

The school gets explicit consent from the students.

Answers
B.

The school gets explicit consent from the students.

C.

Processing is necessary for the legitimate interests pursed by the school.

Answers
C.

Processing is necessary for the legitimate interests pursed by the school.

D.

A state law requires facial recognition to verify attendance.

Answers
D.

A state law requires facial recognition to verify attendance.

Suggested answer: B

Explanation:

The use of facial recognition technology to track student attendance involves the processing of biometric data, which is a special category of personal data under the GDPR.Such data can only be processed under certain conditions, one of which is the explicit consent of the data subject1. Therefore, the school may provide a lawful basis for this processing if it obtains the explicit consent of the students (or their legal guardians, if the students are minors).The consent must be freely given, specific, informed and unambiguous, and the students must have the right to withdraw their consent at any time2. The other options do not provide a lawful basis for this processing, as they do not meet the requirements for processing special categories of data.Placing a notice near each camera does not constitute consent, nor does it comply with the transparency principle3.Processing for the legitimate interests of the school may be a valid basis for processing personal data in general, but not for processing biometric data, unless it is authorised by a specific law that provides suitable safeguards4.A state law that requires facial recognition to verify attendance may also be a valid basis for processing personal data in general, but not for processing biometric data, unless it is necessary for reasons of substantial public interest and provides suitable safeguards5.Reference:

Free CIPP/E Study Guide, page 24, section 3.2

CIPP/E Certification, page 19, section 3.2

Cipp-e Study guides, Class notes & Summaries, page 17, section 3.2

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

Consent - General Data Protection Regulation (GDPR), Article 7

Principles - General Data Protection Regulation (GDPR), Article 5

Lawfulness of processing - General Data Protection Regulation (GDPR), Article 6

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

Show Answer
asked 22/11/2024
Patrick Thiel
36 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms