IAPP CIPP-E Dumps (V16.03) Are Online for Your Certification Preparation: Read Our CIPP-E Free Dumps (Part 3, Q81-Q100)

1. When would a data subject NOT be able to exercise the right to portability?

2. A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

3. As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

4. SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

For what reason would JaphSoft be considered a controller under the GDPR?

5. Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data.

Which of the following is NOT one of these exceptions?

6. Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

7. If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

8. A worker in a European Union (EU) member state has ceased his employment with a company.

What should the employer most likely do in regard to the worker’s personal data?

9. SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service.

Company B’s live systems will contain the following information for each of Company A’s employees:

✑ Name

✑ Address

✑ Date of Birth

✑ Payroll number

✑ National Insurance number

✑ Sick pay entitlement

✑ Maternity/paternity pay entitlement

✑ Holiday entitlement

✑ Pension and benefits contributions

✑ Trade union contributions

Jenny is the compliance officer at Company

A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures.

What would be the most realistic way that Company B could have fulfilled this requirement?

10. Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

11. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

12. What obligation does a data controller or processor have after appointing a data protection officer?

13. SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

14. According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

15. According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?

16. Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest.

Which GDPR principle is she following?

17. Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

18. SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees arelocated there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

19. Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

20. The Planet 49 CJEU Judgement applies to?