Weekend Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Questions 4

SCENARIO

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in

Italy. The company has numerous remote workers in different EU countries. Recently,

the management of Gentle Hedgehog noticed a decrease in productivity of their sales

team, especially among remote workers. As a result, the company plans to implement

a robust but privacy-friendly remote surveillance system to prevent absenteeism,

reward top performers, and ensure the best quality of customer service when sales

people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee

surveillance software whose European headquarters is in Germany. Sauron Eye's

software provides powerful remote-monitoring capabilities, including 24/7 access to

computer cameras and microphones, screen captures, emails, website history, and

keystrokes. Any device can be remotely monitored from a central server that is

securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by

default; however, a so-called Transparent Mode, which regularly and conspicuously

notifies all users about the monitoring and its precise scope, also exists. Additionally,

the monitored employees are required to use a built-in verification technology

involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What monitoring may be lawfully performed within the scope of Gentle Hedgehog's

business?

Options:

A.

Everything offered by Sauron Eye's software with the exception of camera and microphone monitoring.

B.

Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring.

C.

Only video calls conducted during business hours and emails that do not contain a "private" or "personal" tag.

D.

Only emails, website browsing history and camera for internal video calls that are expressly marked as monitored.

Buy Now
Questions 5

Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

Options:

A.

Prudent.

B.

Important.

C.

Proportionate.

D.

DPA-approved.

Buy Now
Questions 6

The GDPR's list of processor obligations regarding cloud computing includes all of the following EXCEPT?

Options:

A.

Controllers must be given notice of any subprocessors and have a right of objection.

B.

Individuals authorized to process the personal data are subject to an obligation of confidentiality.

C.

Any personal data related to data subjects must be securely maintained for a maximum of ten years.

D.

Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk.

Buy Now
Questions 7

Which of the following was the first to implement national law for data protection in 1973?

Options:

A.

France

B.

Sweden

C.

Germany

D.

United Kingdom

Buy Now
Questions 8

How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

Options:

A.

App developers will expand the amount of data necessary to collect for an app’s functionality.

B.

Users will be given granular types of consent for particular types of processing.

C.

App developers’ responsibilities as data controllers will increase.

D.

Users will see fewer advertisements when using apps.

Buy Now
Questions 9

What should a controller do after a data subject opts out of a direct marketing activity?

Options:

A.

Without exception, securely delete all personal data relating to the data subject.

B.

Without undue delay, provide information to the data subject on the action that will be taken.

C.

Refrain from processing personal data relating to the data subject for the relevant type of communication.

D.

Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and no longer processed.

Buy Now
Questions 10

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

Why is the additional measure recommended by Jackie sufficient foe using UpFinance?

Options:

A.

UpFinance is an established 7-year-old business.

B.

UpFinance is in a highly regulated financial industry

C.

UpFinance is based in a country without surveillance laws.

D.

UpFinance implements sufficient data protection measures

Buy Now
Questions 11

An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?

Options:

A.

Only where the organisation can show that it is reasonable to do so because more than one request was made.

B.

Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.

C.

Only where the administrative costs of taking the action requested exceeds a certain threshold.

D.

Only if the organisation can demonstrate that the request is clearly excessive or misguided.

Buy Now
Questions 12

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

Options:

A.

The resulting obligation to notify data subjects would involve disproportionate effort.

B.

The incident resulted from the actions of a third-party that were beyond their control.

C.

The destruction of the stolen data makes any risk to the affected data subjects unlikely.

D.

The sensitivity of the categories of data involved in the incident was not substantial enough.

Buy Now
Questions 13

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany

Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

What is the best option for the lead regulator when responding to the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint?

Options:

A.

Accept, because it did not receive any complaints.

B.

Accept, because GDPR permits non-lead authorities to take action for such complaints.

C.

Reject, because Right Target’s processing was conducted throughout Europe.

D.

Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.

Buy Now
Questions 14

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

Options:

A.

The local Data Protection Supervisory Authorities.

B.

The European Data Protection Board.

C.

The EU Commission.

D.

The Member States.

Buy Now
Questions 15

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

Options:

A.

A prior opt-in consent for consumers unless they are already customers.

B.

A pre-checked box stating that the consumer agrees to receive email marketing.

C.

A notice that the consumer’s email address will be used for marketing purposes.

D.

No prior permission required, but an opt-out requirement on all emails sent to consumers.

Buy Now
Questions 16

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike’s data access request?

Options:

A.

The request is to obtain access and correct inaccurate personal data in his profile.

B.

The request is to obtain access and information about the purpose of processing his personal data.

C.

The request is to obtain access and erasure of his personal data while keeping his rewards membership.

D.

The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.

Buy Now
Questions 17

In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?

Options:

A.

A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.

B.

A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.

C.

A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.

D.

A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.

Buy Now
Questions 18

What obligation does a data controller or processor have after appointing a data protection officer?

Options:

A.

To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.

B.

To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.

C.

To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.

D.

To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

Buy Now
Questions 19

SCENARIO

Please use the following to answer the next question:

Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.

What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

Options:

A.

Information about DPIAs found in Articles 38 through 40 of the GDPR.

B.

Data breach documentation that data controllers are required to maintain.

C.

Existing DPIA guides published by local supervisory authorities.

D.

Records of processing activities that data controllers are required to maintain.

Buy Now
Questions 20

In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

Options:

A.

Adopting a risk-based approach and implementing supplementary measures as needed.

B.

Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.

C.

Obtaining explicit consent from each EU citizen for every individual data transfer.

D.

Storing all personal data within the borders of the European Union.

Buy Now
Questions 21

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

Options:

A.

Both parties are exempt, as the company is involved in human health research

B.

Jack and the pharmaceutical company are jointly liable.

C.

The pharmaceutical company is liable.

D.

Jack is liable

Buy Now
Questions 22

In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance of using a “layered notice” to provide data subjects with what?

Options:

A.

A privacy notice containing brief information whilst offering access to further detail.

B.

A privacy notice explaining the consequences for opting out of the use of cookies on a website.

C.

An explanation of the security measures used when personal data is transferred to a third party.

D.

An efficient means of providing written consent in member states where they are required to do so.

Buy Now
Questions 23

What term BEST describes the European model for data protection?

Options:

A.

Sectoral

B.

Self-regulatory

C.

Market-based

D.

Comprehensive

Buy Now
Questions 24

A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?

Options:

A.

Obtain specific consent for the new processing

B.

Only inform the data subjects of the new purpose.

C.

Proceed no further, as such repurposing is unlawful

D.

Update the privacy notice upon which consent was given

Buy Now
Questions 25

An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?

Options:

A.

Notify affected individuals that their data was unavailable for a period of time.

B.

Document the loss of availability to demonstrate accountability

C.

Notify the supervisory authority about the loss of availability

D.

Conduct a thorough audit of all security systems

Buy Now
Questions 26

With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

Options:

A.

If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.

B.

When it has been determined that adequate protection can be performed.

C.

Only if the Data Protection Impact Assessment (DPIA) shows low risk.

D.

Only as a last resort and when interpreted restrictively.

Buy Now
Questions 27

Which of the following is an example of direct marketing that would be subject to European data protection laws?

Options:

A.

An updated privacy notice sent to an individual’s personal email address.

B.

A charity fundraising event notice sent to an individual at her business address.

C.

A service outage notification provided to an individual by recorded telephone message.

D.

A revision of contract terms conveyed to an individual by SMS from a marketing organization.

Buy Now
Questions 28

SCENARIO

Please use the following to answer the next question:

Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.

What must Zandelay provide to the supervisory authority during the prior consultation?

Options:

A.

An evaluation of the complexity of the intended processing.

B.

An explanation of the purposes and means of the intended processing.

C.

Records showing that customers have explicitly consented to the intended profiling activities.

D.

Certificates that prove Martin’s professional qualities and expert knowledge of data protection law.

Buy Now
Questions 29

In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

Options:

A.

Approved data controllers.

B.

The Council of the European Union.

C.

National data protection authorities.

D.

The European Data Protection Supervisor.

Buy Now
Questions 30

As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his

name, and has used the email address registered in your system.

What would be the most appropriate way to confirm the identity of the customer?

Options:

A.

Request that the customer provide his bank account number.

B.

Request that the customer answer additional security questions.

C.

Request a copy of the customer's last bank account statement.

D.

Request a copy of the customer's government-issued ID document.

Buy Now
Questions 31

The Murla HB Club should have carried out a DPIA before the installation of the new access system AND at what other time?

Options:

A.

After the complaint of the supporter

B.

Periodically, when new risks were foreseen

C.

At the end of every match of the season.

D.

After the AEPD notification of the investigation.

Buy Now
Questions 32

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Which of the following principles has likely been violated in the processing of the

photocall photos containing personal data?

Options:

A.

Adequacy.

B.

Lawfulness.

C.

Transparency.

D.

Data minimization.

Buy Now
Questions 33

When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

Options:

A.

When the data has been pseudonymized.

B.

When the data is protected by technological safeguards.

C.

When the data serves legitimate interest of third parties.

D.

When the data subject has failed to use a provided opt-out mechanism.

Buy Now
Questions 34

In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

Options:

A.

Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.

B.

Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce.

C.

Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.

D.

Where the DPIA identifies risks that will require insurance for protecting its business interests.

Buy Now
Questions 35

It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3

Options:

A.

Notify the police and Tile a criminal complaint about the incident

B.

Start an investigation to understand the incident's possible scope, duration and nature

C.

Send a notification to the competent supervisory authority describing the incident.

D.

Send an email about the incident to all clients and ask them to change their passwords

Buy Now
Questions 36

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

Options:

A.

Notify its Data Protection Authority about the data breach.

B.

Analyze and evaluate the liability for customers in Ireland.

C.

Analyze and evaluate all of its breach notification obligations.

D.

Notify all of its customers that reside in the European Union.

Buy Now
Questions 37

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

Options:

A.

Approved certifications.

B.

Binding corporate rules.

C.

Law enforcement requests.

D.

Standard contractual clauses.

Buy Now
Questions 38

A private company has establishments in France, Poland, the United Kingdom and, most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.

What is the lead supervisory authority for the SaaS service?

Options:

A.

The supervisory authority of Germany at federal level.

B.

The supervisory authority of Germany at regional level.

C.

The supervisory authority of the Republic of Poland.

D.

The supervisory authority of the European Union.

Buy Now
Questions 39

A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?

Options:

A.

Other data held by the processor.

B.

Other data held by the controller

C.

Other data held by recipients of the data.

D.

Other data held by Internet Service Providers (ISPs).

Buy Now
Questions 40

A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper’s website. Unfortunately, the prank is the top search result when a user searches on the victim’s name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

Options:

A.

Notify the newspaper that its article it is delisting the article.

B.

Fully erase the URL to the content, as opposed to delist which is mainly based on data subject’s name.

C.

Identify other controllers who are processing the same information and inform them of the delisting request.

D.

Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Buy Now
Questions 41

Which of the following was the first legally binding international instrument in the area of data protection?

Options:

A.

Convention 108.

B.

General Data Protection Regulation.

C.

Universal Declaration of Human Rights.

D.

EU Directive on Privacy and Electronic Communications.

Buy Now
Questions 42

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

Options:

A.

Within 40 days of receipt

B.

Within 40 days of receipt, which may be extended by up to 40 additional days

C.

Within one month of receipt, which may be extended by up to an additional month

D.

Within one month of receipt, which may be extended by an additional two months

Buy Now
Questions 43

If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?

Options:

A.

The definition of a central contact point for data subjects.

B.

The rules regarding the exercising of data subjects" rights.

C.

The rules to provide information to data subjects in Articles 13 and 14.

D.

The non-disclosure of the essence of their arrangement to data subjects

Buy Now
Questions 44

According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?

Options:

A.

Where the technology supporting the website is located

B.

Where the website is accessed

C.

Where the decisions about processing are made

D.

Where the customer’s Internet service provider is located

Buy Now
Questions 45

Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

Options:

A.

Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.

B.

Consider the impact of the profiling on the data subject’s interest, rights and freedoms.

C.

Demonstrate that the profiling is for the purposes of direct marketing.

D.

Consider the importance of the profiling to their particular objective.

Buy Now
Questions 46

Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?

Options:

A.

When an individual has not consented to the marketing.

B.

When an individual’s details are obtained from their inquiries about buying a product.

C.

Where an individual’s details have been obtained from a bought-in marketing list.

D.

Where an individual is given the ability to unsubscribe from marketing emails sent to him.

Buy Now
Questions 47

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.

Registration Form

Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

    First name:

    Surname:

    Year of birth:

    Email:

    Physical Address (optional*):

    Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. […]

2.Applicable law. […]

3.Limitation of liability. […]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily’s consent provision?

Options:

A.

It is not legal to include fields requiring information regarding health status without consent.

B.

Processing health data requires explicit consent, but the form does not ask for explicit consent.

C.

Direct marketing requires explicit consent, whereas the registration form only provides for a right to object

D.

The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.

Buy Now
Questions 48

Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

Options:

A.

The service’s infrastructure is shared among the supplier’s customers and can be located in a number of countries.

B.

The supplier determines the location, security measures, and service standards applicable to the processing.

C.

The supplier allows customer data to be transferred around the infrastructure according to capacity.

D.

The supplier assumes the vendor’s business risk associated with data processed by the supplier.

Buy Now
Questions 49

Which type of personal data does the GDPR define as a “special category” of personal data?

Options:

A.

Educational history.

B.

Trade-union membership.

C.

Closed Circuit Television (CCTV) footage.

D.

Financial information.

Buy Now
Questions 50

Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection

laws throughout the European Union?

Options:

A.

That it essentially functions as a one-stop shop mechanism

B.

That it takes the form of a Regulation as opposed to a Directive

C.

That it makes notification of large-scale data breaches mandatory

D.

That it makes appointment of a data protection officer mandatory

Buy Now
Questions 51

How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

Options:

A.

The ePrivacy Directive allows individual EU member states to engage in such data retention.

B.

The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.

C.

The Data Retention Directive’s annulment makes such data retention now permissible.

D.

The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

Buy Now
Questions 52

A private company has establishments in France, Poland, the United Kingdom, and most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.

What is the lead supervisory authority for the SaaS service?

Options:

A.

The supervisory authority of Germany at the federal level.

B.

The supervisory authority of Germany at the regional level.

C.

The supervisory authority of the Republic of Poland.

D.

The supervisory authority of the European Union.

Buy Now
Questions 53

What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

Options:

A.

ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.

B.

CJEU can force national governments to implement and honor EU law, while the ECHR cannot.

C.

CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.

D.

ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

Buy Now
Questions 54

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Options:

A.

When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.

B.

When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

C.

When the controller is required to have a Data Protection Officer.

D.

When personal data is being transferred outside of the EEA.

Buy Now
Questions 55

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

Options:

A.

Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.

B.

Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

C.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

D.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Buy Now
Questions 56

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

Options:

A.

The Court of Justice of the European Union.

B.

The European Data Protection Supervisor.

C.

The European Court of Human Rights.

D.

The European Data Protection Board.

Buy Now
Questions 57

In the EDPB's Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, all of the following practices follow from the principles relating to the processing of personal data under EU data protection law EXCEPT?

Options:

A.

Data ownership allocation.

B.

Access control management.

C.

Frequent pseudonymization key rotation.

D.

Error propagation avoidance along the processing chain.

Buy Now
Questions 58

An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data.

Which of the following best explain why this practice would NOT be subject to the GDPR?

Options:

A.

Body temperature is not considered personal data.

B.

The practice does not involve completion by automated means.

C.

Body temperature is considered pseudonymous data.

D.

The practice is for the purpose of alleviating extreme risks to public health.

Buy Now
Questions 59

According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?

Options:

A.

Data ownership allocation.

B.

Access control management.

C.

Frequent pseudonymization key rotation.

D.

Error propagation avoidance along the processing chain.

Buy Now
Questions 60

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?

Options:

A.

If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy.

B.

If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

C.

If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities.

D.

If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities.

Buy Now
Questions 61

Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

Options:

A.

The processing is done by a non-profit organization and the results are disclosed outside the organization.

B.

The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.

C.

The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.

D.

The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

Buy Now
Questions 62

What is the main task of the European Data Protection Board?

Options:

A.

To assess adequacy of data protection in third countries

B.

To ensure consistent application of the GDPR.

C.

To proactively prevent disputes between national supervisory authorities.

D.

To publish guidelines tor data subjects on how to property enforce their rights

Buy Now
Questions 63

Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

Options:

A.

If the processing is to be performed by a third-party vendor

B.

If the processing involves data that is considered personal data

C.

If the processing of the data is done through automated means

D.

If the processing is used to predict the behavior of data subjects

Buy Now
Questions 64

Which of the following is NOT recognized as a common characteristic of cloud computing services?

Options:

A.

The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.

B.

The supplier determines the location, security measures, and service standards applicable to the processing.

C.

The supplier allows customer data to be transferred around the infrastructure according to capacity.

D.

The supplier assumes the vendor's business risk associated with data processed by the supplier.

Buy Now
Questions 65

If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

Options:

A.

Notify the appropriate data protection authority.

B.

Perform a data protection impact assessment (DPIA).

C.

Create an information retention policy for those who operate the system.

D.

Ensure that safeguards are in place to prevent unauthorized access to the footage.

Buy Now
Questions 66

An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

Options:

A.

General Data Protection Regulation 2016/679.

B.

E-Privacy Directive 2002/58/EC.

C.

E-Commerce Directive 2000/31/EC.

D.

Data Protection Directive 95/46/EC.

Buy Now
Questions 67

If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?

Options:

A.

Decision 2001/497/EC (EU controller to non-EU or EEA controller).

B.

Decision 2004/915/EC (EU controller to non-EU or EEA controller).

C.

Decision 2007/72/EC (EU processor to non-EU or EEA controller).

D.

Decision 2010/87/EU (Non-EU or EEA processor from EU controller).

Buy Now
Questions 68

A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

Options:

A.

Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.

B.

Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.

C.

Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.

D.

Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.

Buy Now
Questions 69

Sanctions for non-compliance with the EU Artificial Intelligence Act (Al Act) could result in a maximum fine of?

Options:

A.

The higher of up to 10 million Euro or up to 2% of the entity's total worldwide turnover for the preceding financial year.

B.

The higher of up to 40 million Euro or up to 8% of the entity's total worldwide turnover for the preceding financial year.

C.

The higher of up to 20 million Euro or up to 4% of the entity's total worldwide turnover for the preceding financial year.

D.

The higher of up to 30 million Euro or up to 6% of the entity's total worldwide turnover for the preceding financial year.

Buy Now
Questions 70

Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

Options:

A.

Privacy dashboard notice

B.

Visualization notice.

C.

Just-in-lime notice.

D.

Layered notice.

Buy Now
Questions 71

A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop’s PRIMARY obligation while engaging in this kind of profiling?

Options:

A.

It must solicit informed consent through a notice on its website

B.

It must seek authorization from the European supervisory authorities

C.

It must be able to demonstrate a prior business relationship with the customers

D.

It must prove that it uses sufficient security safeguards to protect customer data

Buy Now
Questions 72

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

Options:

A.

Data Subject Rights.

B.

Right of Action.

C.

Necessity.

D.

Consent.

Buy Now
Questions 73

Read the following steps:

    Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices

    Monitor and analyze the apps and devices for compliance

    Manage application life cycles

    Monitor data sharing

An organization should perform these steps to do which of the following?

Options:

A.

Pursue a GDPR-compliant Privacy by Design process.

B.

Institute a GDPR-compliant employee monitoring process.

C.

Maintain a secure Bring Your Own Device (BYOD) program.

D.

Ensure cloud vendors are complying with internal data use policies.

Buy Now
Questions 74

SCENARIO

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in

Italy. The company has numerous remote workers in different EU countries. Recently,

the management of Gentle Hedgehog noticed a decrease in productivity of their sales

team, especially among remote workers. As a result, the company plans to implement

a robust but privacy-friendly remote surveillance system to prevent absenteeism,

reward top performers, and ensure the best quality of customer service when sales

people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee

surveillance software whose European headquarters is in Germany. Sauron Eye's

software provides powerful remote-monitoring capabilities, including 24/7 access to

computer cameras and microphones, screen captures, emails, website history, and

keystrokes. Any device can be remotely monitored from a central server that is

securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by

default; however, a so-called Transparent Mode, which regularly and conspicuously

notifies all users about the monitoring and its precise scope, also exists. Additionally,

the monitored employees are required to use a built-in verification technology

involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What is the main problem with the 24/7 camera monitoring?

Options:

A.

It must not be operated during non-business hours and employee holidays.

B.

It may accidentally film third parties whose consent is required for monitoring.

C.

It has no valid legal basis to be implemented in the context of Gentle Hedgehog's business.

D.

It must first be approved by the trade union and then granted a license from the national DPA.

Buy Now
Questions 75

A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.

Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?

Options:

A.

Payments cannot be made in a European Union currency.

B.

The controller does not have an establishment in the European Union.

C.

The website is not available in several official languages of European Un on Member States

D.

The website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.

Buy Now
Questions 76

Higher fines are assessed for GDPR violations due to which of the following?

Options:

A.

Failure to notify a supervisory authority and data subjects of a personal data breach

B.

Violations of a data controller's obligations to obtain a child's consent

C.

Failure to appoint a data protection officer.

D.

Violations of a data subject"s rights

Buy Now
Questions 77

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s

revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated

speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

Options:

A.

Encrypt the data in transit over the wireless Bluetooth connection.

B.

Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.

C.

Include three-factor authentication before each use by a child in order to ensure the best level of security possible.

D.

Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.

Buy Now
Questions 78

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

Options:

A.

Documenting due diligence steps taken in the pre-contractual stage.

B.

Conducting a risk assessment to analyze possible outsourcing threats.

C.

Requiring that the processor directly notify the appropriate supervisory authority.

D.

Maintaining evidence that the processor was the best possible market choice available.

Buy Now
Questions 79

Which aspect of processing does the GDPR allow processors to determine for themselves?

Options:

A.

The question of whether the controller needs to be informed about the substitution of another processor carrying out specific processing activities on behalf of the controller.

B.

Their own purposes for the processing, if such purposes are compatible with those for which the personal data were initially collected.

C.

The parameters of their marketing campaigns using personal data relating to the controller's customers.

D.

Their own type of hardware or software and the specific security measures for the processing.

Buy Now
Questions 80

Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

Options:

A.

The European Parliament

B.

The European Commission

C.

The Article 29 Working Party

D.

The European Council

Buy Now
Questions 81

When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

Options:

A.

After a personal data breach.

B.

Every three (3) years.

C.

On an ongoing basis.

D.

Every year.

Buy Now
Questions 82

What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?

Options:

A.

An obligation on the processor to report any personal data breach to the controller within 72 hours.

B.

An obligation on both parties to report any serious personal data breach to the supervisory authority.

C.

An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.

D.

An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches.

Buy Now
Questions 83

When may browser settings be relied upon for the lawful application of cookies?

Options:

A.

When a user rejects cookies that are strictly necessary.

B.

When users are aware of the ability to adjust their settings.

C.

When users are provided with information about which cookies have been set.

D.

When it is impossible to bypass the choices made by users in their browser settings.

Buy Now
Questions 84

Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

Options:

A.

Providing a multi-layered privacy notice, in a website environment.

B.

Providing a QR code linking to more detailed privacy notice, in a CCTV sign.

C.

Providing a hyperlink to the organization’s home page, in a hard copy application form.

D.

Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field.

Buy Now
Questions 85

Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.

Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?

Options:

A.

Processing necessary for scientific or statistical purposes.

B.

Processing necessary for reasons of substantial public interest.

C.

Processing necessary for purposes of preventive or occupational medicine.

D.

Processing necessary for the defense of legal claims in potential negligence cases.

Buy Now
Questions 86

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

Options:

A.

The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.

B.

Adequacy determinations automatically lapse when a Member State leaves the EU.

C.

The UK is now a third country because it’s no longer subject to the GDPR.

D.

The UK is less trustworthy now that its not part of the Union.

Buy Now
Questions 87

A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

Options:

A.

The lawful processing criteria stipulated by Articles 6 to 9

B.

The information requirements set out in Articles 13 and 14

C.

The breach notification requirements specified in Articles 33 and 34

D.

The rights granted to data subjects under Articles 12 to 22

Buy Now
Questions 88

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

Options:

A.

The Court of Justice of the European Union.

B.

The European Data Protection Board.

C.

The Data Protection Authority.

D.

The European Commission.

Buy Now
Exam Code: CIPP-E
Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
Last Update: Apr 5, 2025
Questions: 295
CIPP-E pdf

CIPP-E PDF

$25.5  $84.99
CIPP-E Engine

CIPP-E Testing Engine

$30  $99.99
CIPP-E PDF + Engine

CIPP-E PDF + Testing Engine

$40.5  $134.99