CIPP-E Exam - Certified Information Privacy Professional/Europe (CIPP/E)

NEW QUESTION 1
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?

• A. To encourage the consistency of local data processing activity.
• B. To give corporations a choice about who their supervisory authority will be.
• C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
• D. To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.

Answer: A

NEW QUESTION 2
A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker’s personal data?

• A. Destroy sensitive information and store the rest per applicable data protection rules.
• B. Store all of the data in case the departing worker makes a subject access request.
• C. Securely store the data that is required to be kept under local law.
• D. Provide the employee the reasons for retaining the data.

Answer: A

NEW QUESTION 3
Which area of privacy is a lead supervisory authority’s (LSA) MAIN concern?

• A. Data subject rights
• B. Data access disputes
• C. Cross-border processing
• D. Special categories of data

Answer: C

NEW QUESTION 4
Which of the following entities would most likely be exempt from complying with the GDPR?

• A. A South American company that regularly collects European customers’ personal data.
• B. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
• C. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.
• D. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.

Answer: C

NEW QUESTION 5
A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

• A. Seek informed consent from company employees.
• B. Have cameras recording during work hours only.
• C. Retain captured footage for no more than 30 days.
• D. Restrict camera placement to building entrances only.

Answer: A

NEW QUESTION 6
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

• A. If the processing is to be performed by a third-party vendor
• B. If the processing involves data that is considered personal data
• C. If the processing of the data is done through automated means
• D. If the processing is used to predict the behavior of data subjects

Answer: D

NEW QUESTION 7
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

• A. The service’s infrastructure is shared among the supplier’s customers and can be located in a number of countries.
• B. The supplier determines the location, security measures, and service standards applicable to the processing.
• C. The supplier allows customer data to be transferred around the infrastructure according to capacity.
• D. The supplier assumes the vendor’s business risk associated with data processed by the supplier.

Answer: D

NEW QUESTION 8
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?

• A. They must report it to TripBliss Inc.
• B. They must conduct a full systems audit.
• C. They must report it to the supervisory authority.
• D. They must inform customers who have used the website.

Answer: B

NEW QUESTION 9
The European Parliament jointly exercises legislative and budgetary functions with which of the following?

• A. The European Commission.
• B. The Article 29 Working Party.
• C. The Council of the European Union.
• D. The European Data Protection Board.

Answer: C

NEW QUESTION 10
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.
Why is this company obligated to comply with the GDPR?

• A. The company has offices in the EU.
• B. The company employs staff in the EU.
• C. The company’s data center is located in a country outside the EU.
• D. The company’s products are marketed directly to EU customers.

Answer: D

NEW QUESTION 11
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?

• A. JaphSoft failed to first anonymize the personal data.
• B. JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
• C. JaphSoft was in possession of information that could be used to identify data subjects.
• D. JaphSoft failed to keep personally identifiable information in a separate database.

Answer: B

NEW QUESTION 12
Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

• A. Within 40 days of receipt
• B. Within 40 days of receipt, which may be extended by up to 40 additional days
• C. Within one month of receipt, which may be extended by up to an additional month
• D. Within one month of receipt, which may be extended by an additional two months

Answer: C

NEW QUESTION 13
SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”
“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”
What additional information must Wonderkids provide in their Privacy Statement?

• A. How often promotional emails will be sent.
• B. Contact information of the hosting company.
• C. Technical and organizational measures to protect data.
• D. The categories of recipients with whom data will be shared.

Answer: B

NEW QUESTION 14
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

• A. The obligation of companies to declare data breaches.
• B. The requirement to demonstrate compliance to a supervisory authority.
• C. The necessity of the bulk collection of personal data by the government.

Answer: B

NEW QUESTION 15
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

• A. Binding Corporate Rules are especially recommended for small and medium companies.
• B. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
• C. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
• D. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Answer: C

NEW QUESTION 16
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

• A. Documenting due diligence steps taken in the pre-contractual stage.
• B. Conducting a risk assessment to analyze possible outsourcing threats.
• C. Requiring that the processor directly notify the appropriate supervisory authority.
• D. Maintaining evidence that the processor was the best possible market choice available.

Answer: A

NEW QUESTION 17
What term BEST describes the European model for data protection?

• A. Sectoral
• B. Self-regulatory
• C. Market-based
• D. Comprehensive

Answer: A

NEW QUESTION 18
An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

• A. Use a layered privacy notice on its website and in its email communications.
• B. Identify uses of data in a privacy notice mailed to the data subject.
• C. Provide only general information about its processing activities and offer a toll-free number for more information.
• D. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

Answer: B

NEW QUESTION 19
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

• A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.
• B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.
• C. Demonstrate that the profiling is for the purposes of direct marketing.
• D. Consider the importance of the profiling to their particular objective.

Answer: C

NEW QUESTION 20
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

• A. When creating an untargeted pop-up ad on a website.
• B. When calling a potential customer to notify her of an upcoming product sale.
• C. When emailing a customer to announce that his recent order should arrive earlier than expected.
• D. When paying a search engine company to give prominence to certain products and services within specific search results.

Answer: A

NEW QUESTION 21
......