
[May 29, 2022] 100% Real & Accurate CIPP-E Questions with Free and Fast Updates
Self-Study Guide for Becoming an Certified Information Privacy Professional/Europe (CIPP/E) Expert
NEW QUESTION 32
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your dat a. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.) First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1. Jurisdiction. [...]
2. Applicable law. [...]
3. Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?
- A. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
- B. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.
- C. Processing health data requires explicit consent, but the form does not ask for explicit consent.
- D. It is not legal to include fields requiring information regarding health status without consent.
Answer: A
NEW QUESTION 33
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
- A. The requirements specified that data must be held within the EU.
- B. The requirements had limitations on how national authorities could use data.
- C. The requirements were financially burdensome to EU businesses.
- D. The requirements affected individuals without exception.
Answer: B
Explanation:
Reference:
%20the%20Grand,proportionality%20in%20forging%20the%20Directive.
NEW QUESTION 34
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
- A. The synchronization of approaches to data protection
- B. The creation of legally binding data protection principles
- C. The establishment of a list of legitimate data processing criteria
- D. The restriction of cross-border data flow
Answer: D
NEW QUESTION 35
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?
- A. Notify the newspaper that its article it is delisting the article.
- B. Identify other controllers who are processing the same information and inform them of the delisting request.
- C. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.
- D. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.
Answer: A
NEW QUESTION 36
An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organization charge the data subject a fee for processing the request?
- A. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
- B. Only if the organization can demonstrate that the request is clearly excessive or misguided.
- C. Only where the organization can show that it is reasonable to do so because more than one request was made.
- D. Only where the administrative costs of taking the action requested exceeds a certain threshold.
Answer: A
NEW QUESTION 37
With the issue of consent, the GDPR allows member states some choice regarding what?
- A. The timeframe in which data subjects are allowed to withdraw their consent
- B. The mechanisms through which consent may be communicated
- C. The circumstances in which silence or inactivity may constitute consent
- D. The age at which children must be required to obtain parental consent
Answer: D
NEW QUESTION 38
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?
- A. Providing a hyperlink to the organization's home page, in a hard copy application form.
- B. Providing a multi-layered privacy notice, in a website environment.
- C. Providing a "just-in-time" contextual pop-up privacy notice, in an online application from field.
- D. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
Answer: B
NEW QUESTION 39
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?
- A. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
- B. Encrypt the data in transit over the wireless Bluetooth connection.
- C. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
- D. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
Answer: B
NEW QUESTION 40
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?
- A. Encrypting data in transit and at rest using strong encryption algorithms.
- B. Getting consent from the data subject for a cross border data transfer.
- C. Anonymizing special categories of data.
- D. Conducting regular audits of the data protection program.
Answer: D
NEW QUESTION 41
Which of the following would require designating a data protection officer?
- A. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
- B. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
- C. Processing is carried out by an organization employing 250 persons or more.
- D. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
Answer: B
NEW QUESTION 42
SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the dat a. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?
- A. Marketing information related to other business operations of WonderKids.
- B. No marketing information at all.
- C. Marketing information for products or services similar to those purchased from WonderKids.
- D. Any marketing information at all.
Answer: A
NEW QUESTION 43
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?
- A. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
- B. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
- C. Submit a draft decision to other supervisory authorities for their opinion.
- D. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
Answer: B
NEW QUESTION 44
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?
- A. When an individual's details are obtained from their inquiries about buying a product.
- B. Where an individual's details have been obtained from a bought-in marketing list.
- C. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
- D. When an individual has not consented to the marketing.
Answer: C
NEW QUESTION 45
What is true if an employee makes an access request to his employer for any personal data held about him?
- A. The employer can decline the request if the information is only held electronically.
- B. The employer can automatically decline the request if it contains personal data about a third person.
- C. The employer must supply any information held about an employee unless an exemption applies.
- D. The employer must supply all the information held about the employee.
Answer: C
NEW QUESTION 46
What was the aim of the European Data Protection Directive 95/46/EC?
- A. To harmonize the implementation of the European Convention of Human Rights across all member states.
- B. To completely prevent the transfer of personal data out of the European Union.
- C. To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.
- D. To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.
Answer: D
NEW QUESTION 47
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization.
The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?
- A. Information about how providing consent could affect them as employees.
- B. Information about what is specified in the employment contract.
- C. Information about how the measures are in the best interests of the company.
- D. Information about who employees should contact with any queries.
Answer: B
NEW QUESTION 48
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?
- A. The Directive was annulled by the European Court of Human Rights.
- B. The Directive was superseded by the General Data Protection Regulation.
- C. The Directive was annulled by the Court of Justice of the European Union.
- D. The Directive was superseded by the EU Directive on Privacy and Electronic Communications.
Answer: C
NEW QUESTION 49
Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?
- A. The payment card number of a Dutch citizen
- B. The U.S. social security number of an American citizen living in France
- C. The identification number of a German candidate for a professional examination in Germany
- D. The unlinked aggregated data used for statistical purposes by an Italian company
Answer: C
NEW QUESTION 50
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject's personal data has been obtained from other sources?
- A. Within a reasonable period after obtaining the personal data, but no later than eight weeks.
- B. As soon as possible after the first communication with the data subject.
- C. As soon as possible after obtaining the personal data.
- D. Within a reasonable period after obtaining the personal data, but no later than one month.
Answer: C
NEW QUESTION 51
A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?
- A. Ensure that the receiving entity has signed a data processing agreement.
- B. Encrypt the transferred data in transit and at rest.
- C. Conduct a data protection impact assessment.
- D. Inform the data subject of the security measures in place.
Answer: D
NEW QUESTION 52
......
More about Test
The IAPP CIPP-E exam will test the candidate's understanding of the privacy laws and guidelines in Europe. It includes 90 questions taking 2.5 hours. The candidate will also be tested on how well they conceptualize the legal prerequisites for transferring delicate personal data to and from the US, the EU as well as other jurisdictions. To add more, all IAPP tests’ passing score is 300, with the range being between 100 and 500 points. The first attempt of the test costs $550, while a retake goes for $375. The maintenance fee for the certification is $250 and is prompted when you enroll for your initial IAPP exam. Also, the certificate should be renewed every two years. The maintenance price is included in the membership fee for all members. In all, you can take the exam through computer delivery, which can be done through Pearson VUE, which is partnering with IAPP to avail the exams. As a rule, the official test can be taken in any of the 6000 testing centers across the world. Once you pay the exam fee on the IAPP website, the candidate will be redirected to the Pearson VUE website to get their HOST location. The candidate will also get the exam time and date on the website by clicking on the My Purchases segment on their MyIAPP account. Also, such an exam is available all through the year but candidates are encouraged to apply for it at least 90 days before the actual date. Note that the date and time will vary depending on the location of the candidate. Finally, if candidates already have another IAPP certification, they get this exam at a discounted price of $375.
CIPP-E Study Guide Realistic Verified CIPP-E Dumps: https://realtest.free4torrent.com/CIPP-E-valid-dumps-torrent.html