ExamGecko
Home Home / IAPP / CIPT
Question list
Search
Search

List of questions

Search

Question 117 - CIPT discussion

Report
Export

SCENARIO

Please use the following to answer the next question:

Jordan just joined a fitness-tracker start-up based in California, USA, as its first Information Privacy and Security Officer. The company is quickly growing its business but does not sell any of the fitness trackers itself. Instead, it relies on a distribution network of third-party retailers in all major countries. Despite not having any stores, the company has a 78% market share in the EU. It has a website presenting the company and products, and a member section where customers can access their information. Only the email address and physical address need to be provided as part of the registration process in order to customize the site to the user's region and country. There is also a newsletter sent every month to all members featuring fitness tips, nutrition advice, product spotlights from partner companies based on user behavior and preferences.

Jordan says the General Data Protection Regulation (GDPR) does not apply to the company. He says the company is not established in the EU, nor does it have a processor in the region. Furthermore, it does not do any "offering goods or services" in the EU since it does not do any marketing there, nor sell to consumers directly. Jordan argues that it is the customers who chose to buy the products on their own initiative and there is no "offering" from the company.

The fitness trackers incorporate advanced features such as sleep tracking, GPS tracking, heart rate monitoring. wireless syncing, calorie-counting and step-tracking. The watch must be paired with either a smartphone or a computer in order to collect data on sleep levels, heart rates, etc. All information from the device must be sent to the company's servers in order to be processed, and then the results are sent to the smartphone or computer. Jordan argues that there is no personal information involved since the company does not collect banking or social security information.

Why is Jordan's claim that the company does not collect personal information as identified by the GDPR inaccurate?

A.

The potential customers must browse for products online.

Answers
A.

The potential customers must browse for products online.

B.

The fitness trackers capture sleep and heart rate data to monitor an individual's behavior.

Answers
B.

The fitness trackers capture sleep and heart rate data to monitor an individual's behavior.

C.

The website collects the customers' and users' region and country information.

Answers
C.

The website collects the customers' and users' region and country information.

D.

The customers must pair their fitness trackers to either smartphones or computers.

Answers
D.

The customers must pair their fitness trackers to either smartphones or computers.

Suggested answer: B

Explanation:

Sleep and heart rate data collected by the fitness trackers can be considered personal information under the GDPR because it relates to an identified or identifiable natural person. This means that even if the company does not collect other types of personal information such as name or address, it is still collecting personal information as defined by the GDPR.

asked 22/11/2024
Scott Wells
38 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first