ExamGecko
Search Search Login
Home Home / IAPP / CIPP-E
Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment. Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?
SCENARIO Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR. ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data. What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
The Planet 49 CJEU Judgement applies to?
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?
SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

Question 228 - CIPP-E discussion

Report
Export

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?


A.

Notify its Data Protection Authority about the data breach.

Answers
A.

Notify its Data Protection Authority about the data breach.

B.

Analyze and evaluate the liability for customers in Ireland.

Answers
B.

Analyze and evaluate the liability for customers in Ireland.

C.

Analyze and evaluate all of its breach notification obligations.

Answers
C.

Analyze and evaluate all of its breach notification obligations.

D.

Notify all of its customers that reside in the European Union.

Answers
D.

Notify all of its customers that reside in the European Union.

Suggested answer: B

Explanation:

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

Show Answer
asked 22/11/2024
Alvin Gonzalez
38 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms