Try Before You Buy

Download a free sample of any of our exam questions and answers

  • 24/7 customer support, Secure shopping site
  • Free One year updates to match real exam scenarios
  • If you failed your exam after buying our products we will refund the full amount back to you.
Free Download
  • Home
  • Articles
  • Real IAPP CIPP-E Exam Questions Study Guide [Q164-Q189]

Real IAPP CIPP-E Exam Questions Study Guide [Q164-Q189]

Share

Real IAPP CIPP-E Exam Questions Study Guide

Updated and Accurate CIPP-E Questions for passing the exam Quickly


The CIPP-E Exam covers a wide range of topics related to privacy, including the legal and regulatory frameworks, data subjects' rights, data transfers, privacy impact assessments, and privacy by design. It is designed for professionals who work in the privacy industry, including privacy officers, data protection officers, privacy lawyers, and consultants.


IAPP CIPP-E (Certified Information Privacy Professional/Europe (CIPP/E)) Certification Exam is a globally recognized qualification that validates an individual’s knowledge and expertise in the field of data protection and privacy. CIPP-E exam is designed to assess the candidate’s understanding of the EU’s General Data Protection Regulation (GDPR), which sets the standard for data privacy laws around the world. Certified Information Privacy Professional/Europe (CIPP/E) certification is ideal for professionals who work in the field of privacy, such as privacy officers, data protection officers, lawyers, and consultants.

 

NEW QUESTION # 164
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  • A. Retention periods for erasure and deletion of categories of personal data.
    Section: (none)
    Explanation
  • B. Categories of recipients to whom the personal data have been disclosed.
  • C. Incidents of personal data breaches, whether disclosed or not.
  • D. Data inventory or data mapping exercises that have been conducted.

Answer: A


NEW QUESTION # 165
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores.
Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
To ensure GDPR compliance, what should be the company's position on the issue of consent?

  • A. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.
  • B. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.
  • C. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
  • D. Consent for data collection is implied through the parent's purchase of the action figure for the child.

Answer: B

Explanation:
According to Article 8 of the GDPR, where the processing of personal data is based on consent and the offer of an information society service (ISS) is directly made to a child, the processing is lawful only if the child is at least 16 years old, or if the consent is given or authorised by the holder of parental responsibility over the child. The GDPR allows EU member states to lower the age threshold to a minimum of 13 years. The data controller must make reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility, taking into account available technology. An ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
Examples of ISS include online marketplaces, social media platforms, and online games.
In this scenario, the company is offering an ISS to children, as the connected toys can talk and interact with children via the internet. The company is also processing personal data of the children, such as their voice, questions, preferences, and location. Therefore, the company must obtain parental consent for the use of the action figures before any data can be collected, unless the child is above the age threshold set by the relevant EU member state. The company must also inform the parents and the children about the nature and purpose of the data processing, the data transfers to South Africa, and the rights of the data subjects. The company must also ensure that the data processing is fair, lawful, transparent, and in accordance with the data protection principles and the children's best interests.
The other options are incorrect because:
* A. The child cannot provide consent himself, regardless of the purpose of the data processing, unless he is above the age threshold set by the relevant EU member state. The GDPR does not make any distinction between data processing for marketing or non-marketing purposes when it comes to children' s consent.
* B. The company does not need to obtain written authorization from the supervisory authority to process children's data, as long as it complies with the GDPR requirements and obtains parental consent. The supervisory authority is the independent public authority responsible for monitoring the application of the GDPR in each EU member state, and it can intervene only in cases of non-compliance or complaints.
* C. Consent for data collection cannot be implied through the parent's purchase of the action figure for the child. The GDPR requires that consent must be freely given, specific, informed, and unambiguous, and that it must be expressed by a clear affirmative action. The purchase of a product does not meet these criteria, and it does not indicate the parent's agreement to the data processing. Moreover, the packaging of the toy does not provide sufficient information about the data processing, nor does it mention that an internet connection is required.
References: Article 8 and Recitals (38) and (58) of the GDPR, Can personal data about children be collected?, Children and the UK GDPR, CIPP/E Certification


NEW QUESTION # 166
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Which statement accurately summarizes Bedrock's obligation in regard to Louis's data portability request?

  • A. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.
  • B. Bedrock does not have a duty to transfer Louis's data to Zantrum if doing so is legitimately not technically feasible.
  • C. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.
  • D. Bedrock does not have to transfer Louis's data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

Answer: D


NEW QUESTION # 167
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

  • A. Only as a last resort and when interpreted restrictively.
  • B. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
  • C. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
  • D. When it has been determined that adequate protection can be performed.

Answer: A

Explanation:
The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. Reference: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO


NEW QUESTION # 168
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

  • A. The terms of service shall also enumerate all applicable anti-money laundering few.
  • B. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.
  • C. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.
  • D. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

Answer: B


NEW QUESTION # 169
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

  • A. Conduct a thorough audit of all security systems
  • B. Document the loss of availability to demonstrate accountability
  • C. Notify affected individuals that their data was unavailable for a period of time.
  • D. Notify the supervisory authority about the loss of availability

Answer: D

Explanation:
Explanation/Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwihmsidxtTqAhXvQUEAHXRaAdYQFjABegQIARAB& url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm%3Fdoc_id%
3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (5)


NEW QUESTION # 170
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations.
TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva's legal responsibility as a processor?

  • A. They must report it to TripBliss Inc.
  • B. They must report it to the supervisory authority.
  • C. They must conduct a full systems audit.
  • D. They must inform customers who have used the website.

Answer: A

Explanation:
According to Article 33 of the GDPR, processors must notify controllers without undue delay after becoming aware of a personal data breach1. Even though Leon and Fred did not disclose the data to anyone else, the unauthorized access and copying of the log files still constitutes a personal data breach2. Therefore, Techiva, as a processor, has a legal responsibility to report it to TripBliss Inc., as the controller. The other options are not legal obligations for processors, although they may be good practices or contractual terms. References:
* Free CIPP/E Study Guide, page 32, section 4.1.2
* CIPP/E Certification, page 27, section 4.1.2
* Cipp-e Study guides, Class notes & Summaries, page 38, section 4.1.2
* New IAPP CIPP-E Exam Practice Questions, question 141
* Processors' responsibilities, paragraph 2


NEW QUESTION # 171
In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

  • A. If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
  • B. If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
  • C. If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.
  • D. If the cookies do not track personal data, then pre-checked boxes are acceptable.

Answer: C

Explanation:
The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user's device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.


NEW QUESTION # 172
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?

  • A. Proceed no further, as such repurposing is unlawful
  • B. Obtain specific consent for the new processing
  • C. Only inform the data subjects of the new purpose.
  • D. Update the privacy notice upon which consent was given

Answer: B

Explanation:
According to the GDPR, consent is one of the lawful bases for processing personal data1. Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. Therefore, consent must be specific to each purpose of processing and cannot be bundled with other purposes3. If a company wants to use personal data for a new purpose that is not compatible with the original purpose for which consent was given, it must obtain a new consent from the data subjects for the new processing4. Simply informing the data subjects of the new purpose or updating the privacy notice is not sufficient, as it does not imply the data subject's agreement to the new processing. Proceeding with the new processing without obtaining a new consent would be unlawful and could result in fines and sanctions5. References:
* Free CIPP/E Study Guide, page 23, section 4.1.1
* GDPR, Article 4 (11)
* GDPR, Recital 32
* GDPR, Article 6 (4)
* GDPR, Article 83 (5) (a)


NEW QUESTION # 173
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

  • A. The European Council
  • B. The European Commission
  • C. The Council of the European Union
  • D. The European Parliament

Answer: B

Explanation:
According to the CIPP/E study guide1, the European Commission is the EU institution that has the power to propose new data protection legislation on its own initiative, as well as amend or repeal existing laws. The European Commission is also responsible for implementing and enforcing the EU data protection framework, in cooperation with other institutions and national authorities.
References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals Reference: https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501


NEW QUESTION # 174
When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

  • A. On an ongoing basis.
  • B. After a personal data breach.
  • C. Every three (3) years.
  • D. Every year.

Answer: A

Explanation:
Reference https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf


NEW QUESTION # 175
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

  • A. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.
  • B. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.
  • C. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
  • D. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.

Answer: A

Explanation:
Reference https://www.zimmerslaw.com/english-1/data-protection/


NEW QUESTION # 176
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

  • A. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.
  • B. The terms of service shall also enumerate all applicable anti-money laundering few.
  • C. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.
  • D. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

Answer: A

Explanation:
According to Article 13 of the GDPR, when personal data are collected from the data subject, the controller shall provide the data subject with certain information, such as the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, and the existence of the data subject's rights.
This information shall be provided at the time when personal data are obtained. The purpose of this requirement is to ensure that the data subject is informed and aware of how their personal data will be used and shared, and to enable them to exercise their rights accordingly. Therefore, customers shall receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process. References:
* Article 13 of the GDPR
* IAPP CIPP/E Study Guide, page 32


NEW QUESTION # 177
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

  • A. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  • B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
  • C. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
  • D. Personal data of EU residents being processed by a non-EU business that targets EU customers.

Answer: B

Explanation:
According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis of a decision taken at a Union level that is binding for that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state.
Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state.
Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.
Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state.
Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.
References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals.
Reference: https://hsfnotes.com/data/2019/12/02/edpb-adopts-final-guidelines-on-gdpr-extra-territoriality/


NEW QUESTION # 178
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

  • A. When she has recently changed jobs and no longer works for the same company.
  • B. When she no longer wishes to be sent marketing materials from an organization.
  • C. When she disagrees with a diagnosis her doctor has recorded on her records.
  • D. When she is leaving her bank and moving to another bank.

Answer: B

Explanation:
Reference https://gdpr-info.eu/art-7-gdpr/


NEW QUESTION # 179
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

  • A. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
  • B. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
  • C. The right to privacy has to be balanced against other rights under the ECHR
  • D. The right to privacy is an absolute right

Answer: C

Explanation:
Reference https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf (15)


NEW QUESTION # 180
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

  • A. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
  • B. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.
  • C. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
  • D. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.

Answer: A

Explanation:
According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the user's device requires the user's consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the user's browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.
Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.
Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.
Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.
Reference:
ePrivacy Directive, Article 5(3)
GDPR, Article 4(11), Article 7, Article 9
CIPP/E Study Guide, Chapter 5, Section 5.2.2


NEW QUESTION # 181
Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection laws throughout the European Union?

  • A. That it takes the form of a Regulation as opposed to a Directive
  • B. That it makes notification of large-scale data breaches mandatory
  • C. That it essentially functions as a one-stop shop mechanism
  • D. That it makes appointment of a data protection officer mandatory

Answer: A

Explanation:
One of the main differences between a Regulation and a Directive in the EU law is that a Regulation is directly applicable and binding in all EU member states, without the need for national implementing measures, while a Directive sets out the objectives and principles that the member states must achieve, but leaves them the choice of form and methods to transpose it into their national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify the data protection rules across the EU, and to ensure a consistent implementation and enforcement of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question, such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and the mandatory appointment of a data protection officer, are also important features of the GDPR, but they do not have the same impact on the consistency of the data protection laws as the form of a Regulation.
References: Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 - EN - EUR-Lex2; EU GDPR vs. European Data Protection Directive 95/46/EC - Advisera3; Difference between GDPR and Data Protection Directive - Profolus


NEW QUESTION # 182
Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?

  • A. The personal dale has been collected in relation to the offer of Information society services (ISS) to a child.
  • B. The data subject withdraws consent and there is no other legal basis for the processing.
  • C. The processing s necessary for exercising the right of freedom of expression and information
  • D. The personal data is no longer necessary in relation to the search engine provider's processing

Answer: C

Explanation:
According to Article 17 of the GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). However, Article 17(3) provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information. Therefore, this would not be a valid ground for data subject delisting requests. Reference:
Article 17 of the GDPR
EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)


NEW QUESTION # 183
Which of the following was the first legally binding international instrument in the area of data protection?

  • A. General Data Protection Regulation.
  • B. Universal Declaration of Human Rights.
  • C. EU Directive on Privacy and Electronic Communications.
  • D. Convention 108.

Answer: D


NEW QUESTION # 184
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

  • A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
  • B. Failure to process personal information in a manner compatible with its original purpose.
  • C. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
  • D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.

Answer: C


NEW QUESTION # 185
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft's use of pseudonymization is NOT in compliance with the CDPR because?

  • A. JaphSoft failed to first anonymize the personal data.
  • B. JaphSoft was in possession of information that could be used to identify data subjects.
  • C. JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
  • D. JaphSoft failed to keep personally identifiable information in a separate database.

Answer: C

Explanation:
According to the GDPR, pseudonymization is a technique that reduces the linkability of personal data to a specific data subject by replacing identifying attributes with pseudonyms1. Pseudonymization is not a sufficient measure to anonymize personal data, which means that the data cannot be attributed to an identifiable person without additional information2. Pseudonymization can help data controllers and processors to comply with the GDPR principles of data minimization, purpose limitation, and storage limitation, as well as to enhance the security and confidentiality of personal data3.
In this scenario, JaphSoft's use of pseudonymization is not in compliance with the GDPR because of option C: JaphSoft was in possession of information that could be used to identify data subjects. This is because JaphSoft did not keep the additional information (the contact information) separately from the pseudonymized data (the identifying information), and did not apply technical and organizational measures to prevent the re-identification of the data subjects4. This means that JaphSoft could potentially link the personal data to the individuals, and therefore, the data was not effectively pseudonymized. Moreover, JaphSoft did not have a deletion process for the data it received from clients, which could violate the principle of storage limitation that requires personal data to be kept no longer than necessary for the purposes for which they are processed.


NEW QUESTION # 186
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
Why is this company obligated to comply with the GDPR?

  • A. The company has offices in the EU.
  • B. The company's data center is located in a country outside the EU.
  • C. The company employs staff in the EU.
  • D. The company's products are marketed directly to EU customers.

Answer: D

Explanation:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of home and have the character's abilities remain intact.
Why is this company obligated to comply with the GDPR?
A . The company has offices in the EU. B . The company employs staff in the EU. C . The company's data center is located in a country outside the EU. D. The company's products are marketed directly to EU customers.
Answer :
Verified Answer : D . The company's products are marketed directly to EU customers.
According to section 6(1) of the GDPR1, personal data shall be processed by organisations, which offer goods or services or otherwise carry out activities, in relation to which processing of personal data may be regarded as relevant for their legitimate interests. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance


NEW QUESTION # 187
Which of the following would require designating a data protection officer?

  • A. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
  • B. Processing is carried out by an organization employing 250 persons or more.
  • C. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
  • D. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Answer: D

Explanation:
According to Article 37 of the GDPR, the designation of a data protection officer (DPO) is mandatory for controllers and processors in three cases1:
* When the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
* When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
* When the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
The GDPR does not define what constitutes "regular and systematic monitoring" or "large scale", but the Article 29 Working Party (now replaced by the European Data Protection Board) has provided some guidance on these concepts2. According to the guidance, "regular and systematic monitoring" includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising, but also offline activities such as CCTV or health data monitoring. The guidance also suggests some criteria to assess whether the processing is carried out on a large scale, such as the number of data subjects concerned, the volume of data or the range of data items processed, the duration or permanence of the processing activity, and the geographical extent of the processing.
In the given scenario, option D is the only one that clearly falls under the second case of mandatory DPO designation, as it implies that the controller or processor is engaged in regular and systematic monitoring of data subjects on a large scale as part of their core activities. This could include, for example, online behavioural advertising, location tracking, loyalty programs, or health data analytics. The other options are not sufficient to trigger the obligation to appoint a DPO, unless they are combined with other factors that indicate a large scale or a high risk of the processing. For instance, option A is not relevant, as the GDPR does not set a threshold based on the size or number of employees of the organisation. Option B is also not decisive, as the GDPR does not distinguish between for-profit or non-profit purposes of the processing.
Option C may require a DPO if the processing of financial information or information relating to children is done on a large scale and involves special categories of data, but it is not a general rule. References:
* 1: Article 37 of the GDPR
* 2: Guidelines on Data Protection Officers ('DPOs')
* 3: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
* 4: https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf
* 5: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
* 6: [https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf]
* 7: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679] Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/data-protection-officers/


NEW QUESTION # 188
An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?

  • A. Only where the administrative costs of taking the action requested exceeds a certain threshold.
  • B. Only if the organization can demonstrate that the request is clearly excessive or misguided.
  • C. Only where the organization can show that it is reasonable to do so because more than one request was made.
  • D. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.

Answer: B


NEW QUESTION # 189
......

Prepare Important Exam with CIPP-E Exam Dumps: https://passguide.vce4dumps.com/CIPP-E-latest-dumps.html

Related Articles

more
IAPP CIPP-E Certification Practice Exam

Selecting right prep4sure dumps is the key to pass actual test, the accuracy of our dumps torrent and latest dumps will guarantee you high passing score.

Latest Prep4sure VCE Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 VCE4Dumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy