CIPP-E Exam - Certified Information Privacy Professional/Europe (CIPP/E)

NEW QUESTION 1
Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

• A. The public
• B. Company X
• C. Law enforcement
• D. The supervisory authority

Answer: C

NEW QUESTION 2
In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

• A. The predicted consequences of the breach.
• B. The measures being taken to address the breach.
• C. The type of security safeguards used to protect the data.
• D. The contact details of the appropriate data protection officer.

Answer: D

NEW QUESTION 3
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

• A. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
• B. Requesting advice and technical support from Company A’s IT team.
• C. Avoiding the use of another company’s data to improve their own services.
• D. Vetting companies’ measures with the appropriate supervisory authority.

Answer: A

NEW QUESTION 4
To which of the following parties does the territorial scope of the GDPR NOT apply?

• A. All member countries of the European Economic Area.
• B. All member countries party to the Treaty of Lisbon.
• C. All member countries party to the Paris Agreement.
• D. All member countries of the European Union.

Answer: A

NEW QUESTION 5
What type of data lies beyond the scope of the General Data Protection Regulation?

• A. Pseudonymized
• B. Anonymized
• C. Encrypted
• D. Masked

Answer: B

NEW QUESTION 6
When is data sharing agreement MOST likely to be needed?

• A. When anonymized data is being shared.
• B. When personal data is being shared between commercial organizations acting as joint data controllers.
• C. When personal data is being proactively shared by a controller to support a police investigation.
• D. When personal data is being shared with a public authority with powers to require the personal data to be disclosed.

Answer: B

NEW QUESTION 7
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

• A. Anonymizing special categories of data.
• B. Conducting regular audits of the data protection program.
• C. Getting consent from the data subject for a cross border data transfer.
• D. Encrypting data in transit and at rest using strong encryption algorithms.

Answer: B

NEW QUESTION 8
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs
Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University’s records does Anna NOT have to include in her record of processing activities?

• A. Student records
• B. Staff and alumni records
• C. Frank’s performance database
• D. Department for Education records

Answer: C

NEW QUESTION 9
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

• A. Approved certifications.
• B. Binding corporate rules.
• C. Law enforcement requests.
• D. Standard contractual clauses.

Answer: A

NEW QUESTION 10
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

• A. Name and contact details of each controller on behalf of which the processor is acting.
• B. Categories of processing carried out on behalf of each controller for which the processor is acting.
• C. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
• D. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.

Answer: C

NEW QUESTION 11
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

• A. The group of undertakings must obtain approval from a supervisory authority.
• B. The group of undertakings must be comprised of organizations of similar sizes and functions.
• C. The data protection officer must be located in the country where the data controller has its main establishment.
• D. The data protection officer must be easily accessible from each establishment where the undertakings are located.

Answer: D

NEW QUESTION 12
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

• A. Personal data revealing ethnic origin.
• B. Personal data revealing genetic data.
• C. Personal data revealing financial data.
• D. Personal data revealing trade union membership.

Answer: C

NEW QUESTION 13
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

• A. The local Data Protection Supervisory Authorities.
• B. The European Data Protection Board.
• C. The EU Commission.
• D. The Member States.

Answer: D

NEW QUESTION 14
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

• A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
• B. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
• C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
• D. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

Answer: A

NEW QUESTION 15
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?

• A. Law firm organizations.
• B. Civil society organizations.
• C. Human rights organizations.
• D. Constitutional rights organizations.

Answer: A

NEW QUESTION 16
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.
If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

• A. The resulting obligation to notify data subjects would involve disproportionate effort.
• B. The incident resulted from the actions of a third-party that were beyond their control.
• C. The destruction of the stolen data makes any risk to the affected data subjects unlikely.
• D. The sensitivity of the categories of data involved in the incident was not substantial enough.

Answer: B

NEW QUESTION 17
SCENARIO
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.
In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?

• A. If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy.
• B. If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.
• C. If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities.
• D. If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities.

Answer: A

NEW QUESTION 18
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

• A. The European Parliament
• B. The European Commission
• C. The Article 29 Working Party
• D. The European Council

Answer: B

NEW QUESTION 19
Which of the following was the first to implement national law for data protection in 1973?

• A. France
• B. Sweden
• C. Germany
• D. United Kingdom

Answer: B

NEW QUESTION 20
SCENARIO
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.
What is the nature of BHealthy and Natural Insight’s relationship?

• A. Natural Insight is BHealthy’s processor because the companies entered into data processing terms.
• B. Natural Insight is BHealthy’s processor because BHealthy is sharing its customer information with Natural Insight.
• C. Natural Insight is the controller because it determines the security measures to implement to protect data it processes; BHealthy is a co-controller because it engaged Natural Insight to determine pricing for the new sunscreens.
• D. Natural Insight is a controller because it is separately determine the purpose of processing when it uses BHealthy’s customer information to improve its machine learning algorithms.

Answer: A

NEW QUESTION 21
......