• Home
  • Articles
  • CIPP-E Training & Certification Get Latest Certified Information Privacy Professional Updated on Oct 23, 2021 [Q53-Q75]

CIPP-E Training & Certification Get Latest Certified Information Privacy Professional Updated on Oct 23, 2021 [Q53-Q75]

Share

CIPP-E Training & Certification Get Latest Certified Information Privacy Professional Updated on Oct 23, 2021

Certification Training for CIPP-E Exam Dumps Test Engine

NEW QUESTION 53
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

  • A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
  • B. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
  • C. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.
  • D. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.

Answer: C

Explanation:
Explanation/Reference: https://www.zimmerslaw.com/english-1/data-protection/

 

NEW QUESTION 54
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

  • A. Legislative powers.
  • B. Investigatory powers.
  • C. Corrective powers.
  • D. Authorization and advisory powers.

Answer: D

 

NEW QUESTION 55
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

  • A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
  • B. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
  • C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
  • D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: C

Explanation:
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

 

NEW QUESTION 56
Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible"?

  • A. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
  • B. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.
  • C. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
  • D. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Answer: A

 

NEW QUESTION 57
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

  • A. The Member States.
  • B. The EU Commission.
  • C. The European Data Protection Board.
  • D. The local Data Protection Supervisory Authorities.

Answer: A

 

NEW QUESTION 58
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

  • A. Providing a multi-layered privacy notice, in a website environment.
  • B. Providing a hyperlink to the organization's home page, in a hard copy application form.
  • C. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
  • D. Providing a "just-in-time" contextual pop-up privacy notice, in an online application from field.

Answer: A

 

NEW QUESTION 59
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop's PRIMARY obligation while engaging in this kind of profiling?

  • A. It must prove that it uses sufficient security safeguards to protect customer data
  • B. It must seek authorization from the European supervisory authorities
  • C. It must solicit informed consent through a notice on its website
  • D. It must be able to demonstrate a prior business relationship with the customers

Answer: C

 

NEW QUESTION 60
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

  • A. When the personal data is collected and then pseudonymised by the controller
  • B. When the personal data is processed by an individual only for their household activities
  • C. When the personal data is held by the controller but not processed for further purposes
  • D. When the personal data is processed only in non-electronic form

Answer: A

 

NEW QUESTION 61
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

  • A. If the processing involves data that is considered personal data
  • B. If the processing is to be performed by a third-party vendor
  • C. If the processing is used to predict the behavior of data subjects
  • D. If the processing of the data is done through automated means

Answer: C

 

NEW QUESTION 62
Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?

  • A. Choose the data protection officer that is most sympathetic to their business concerns.
  • B. Select third-party processors on the basis of cost rather than quality of privacy protection.
  • C. File appeals of infringement judgments with more than one EU institution simultaneously.
  • D. Designate their main establishment in member state with the most flexible practices.

Answer: D

 

NEW QUESTION 63
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  • A. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
  • B. An explanation of the security measures used when personal data is transferred to a third party.
  • C. An efficient means of providing written consent in member states where they are required to do so.
  • D. A privacy notice containing brief information whilst offering access to further detail.

Answer: D

Explanation:
Explanation

 

NEW QUESTION 64
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

  • A. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
  • B. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
  • C. Encrypt the data in transit over the wireless Bluetooth connection.
  • D. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.

Answer: C

Explanation:
Explanation/Reference:

 

NEW QUESTION 65
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

  • A. Where the customer's Internet service provider is located
  • B. Where the website is accessed
  • C. Where the technology supporting the website is located
  • D. Where the decisions about processing are made

Answer: A

Explanation:
Explanation/Reference: https://www.ohiobar.org/member-tools-benefits/publications/Ohio-Lawyer/the-european-general- data-protection-regulation-gdpr/

 

NEW QUESTION 66
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

  • A. Categories of processing carried out on behalf of each controller for which the processor is acting.
  • B. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
  • C. Name and contact details of each controller on behalf of which the processor is acting.
  • D. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.

Answer: D

 

NEW QUESTION 67
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

  • A. The processor will be considered to be a controller in respect of the processing concerned
  • B. The processor will be liable to pay compensation to affected data subjects
  • C. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
  • D. The controller will be liable to pay an administrative fine

Answer: B

Explanation:
Explanation/Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/key-definitions/controllers-and-processors/

 

NEW QUESTION 68
A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

  • A. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
  • B. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
  • C. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.
  • D. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.

Answer: A

 

NEW QUESTION 69
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia's complaint?

  • A. T-Craze conducts its marketing and sales activities in France.
  • B. T-Craze has a French affiliate.
  • C. The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.
  • D. The French affiliate procured the services of Right Target.

Answer: A

 

NEW QUESTION 70
According to the GDPR, how is pseudonymous personal data defined?

  • A. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
  • B. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
  • C. Data that has been encrypted or is subject to other technical safeguards.
  • D. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Answer: B

 

NEW QUESTION 71
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?

  • A. Not more than one month of receipt of Mike's request.
  • B. When all the information about Mike has been collected.
  • C. Not more than thirty days after submission of Mike's request.
  • D. Not more than two months after verifying Mike's identity.

Answer: C

 

NEW QUESTION 72
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

  • A. Information about how providing consent could affect them as employees.
  • B. Information about what is specified in the employment contract.
  • C. Information about who employees should contact with any queries.
  • D. Information about how the measures are in the best interests of the company.

Answer: B

 

NEW QUESTION 73
The Planet 49 CJEU Judgement applies to?

  • A. Cookies regardless of whether the data accessed is personal or not.
  • B. Cookies used only by third parties.
  • C. Cookies where the data accessed is considered as personal data only.
  • D. Cookies that are deemed technically necessary.

Answer: A

 

NEW QUESTION 74
Company X has entrusted the processing of their payroll data to Provider Y.
Provider Y stores this encrypted data in its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

  • A. The public
  • B. Company X
  • C. The supervisory authority
  • D. Law enforcement

Answer: D

 

NEW QUESTION 75
......

Step by Step Guide to Prepare for CIPP-E Exam: https://www.passleader.top/IAPP/CIPP-E-exam-braindumps.html

Certified Information Privacy Professional CIPP-E Real Exam Questions and Answers FREE Updated: https://drive.google.com/open?id=1Mi5mfZSpZDGah-JArTS_WZpqaKtlU35k

Related Articles

more
IAPP CIPP-E Certification Practice Exam