CIPP-E Exam - Certified Information Privacy Professional/Europe (CIPP/E)

NEW QUESTION 1
A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

• A. If the data protection officer lacks ISO 27001 auditor certification.
• B. If the data protection officer is provided by the data processor.
• C. If the data protection officer also manages the marketing budget.
• D. If the data protection officer receives instructions from the data controller.

Answer: D

NEW QUESTION 2
Which of the following is one of the supervisory authority’s investigative powers?

• A. To notify the controller or the processor of an alleged infringement of the GDPR.
• B. To require that controllers or processors adopt approved data protection certification mechanisms.
• C. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
• D. To require data controllers to provide them with written notification of all new processing activities.

Answer: A

NEW QUESTION 3
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a
multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?

• A. New corporate governance and code of conduct.
• B. A data protection impact assessment.
• C. A comprehensive data inventory.
• D. Hiring a data protection officer.

Answer: A

NEW QUESTION 4
According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

• A. When processed with the intent to publish information regarding a natural person on publicly accessible media.
• B. When processed with the intent to proceed to scientific or historical research projects.
• C. When processed with the intent to uniquely identify or authenticate a natural person.
• D. When processed with the intent to comply with a law.

Answer: C

NEW QUESTION 5
Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

• A. Data subjects must be sufficiently informed of the purposes for which their personal data is processed.
• B. Processing of special categories of personal data on a large scale requires appointing a DPO.
• C. Personal data of data subjects must always be accurate and kept up to date.
• D. Data controllers must be in control of the data they hold at all times.

Answer: D

NEW QUESTION 6
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an
internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike’s data access request?

• A. The request is to obtain access and correct inaccurate personal data in his profile.
• B. The request is to obtain access and information about the purpose of processing his personal data.
• C. The request is to obtain access and erasure of his personal data while keeping his rewards membership.
• D. The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.

Answer: C

NEW QUESTION 7
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

• A. The individuals are European citizens or residents.
• B. The data processing activities are in Spain.
• C. The data controller is in France.
• D. The EU individuals are targeted.

Answer: D

NEW QUESTION 8
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

• A. Protection of the interests of the data subjects.
• B. Performance of a contact
• C. Legitimate interest
• D. Consent

Answer: D

NEW QUESTION 9
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an
internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?

• A. Not more than one month of receipt of Mike’s request.
• B. Not more than two months after verifying Mike’s identity.
• C. When all the information about Mike has been collected.
• D. Not more than thirty days after submission of Mike’s request.

Answer: D

NEW QUESTION 10
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

• A. The ePrivacy Directive allows individual EU member states to engage in such data retention.
• B. The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.
• C. The Data Retention Directive’s annulment makes such data retention now permissible.
• D. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

Answer: D

NEW QUESTION 11
What is the key difference between the European Council and the Council of the European Union?

• A. The Council of the European Union is helmed by a president.
• B. The Council of the European Union has a degree of legislative power.
• C. The European Council focuses primarily on issues involving human rights.
• D. The European Council is comprised of the heads of each EU member state.

Answer: D

NEW QUESTION 12
WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

• A. A postal notification
• B. A direct electronic message
• C. A notice on a corporate blog
• D. A prominent advertisement in print media

Answer: C

NEW QUESTION 13
The Planet 49 CJEU Judgement applies to?

• A. Cookies used only by third parties.
• B. Cookies that are deemed technically necessary.
• C. Cookies regardless of whether the data accessed is personal or not.
• D. Cookies where the data accessed is considered as personal data only.

Answer: C

NEW QUESTION 14
Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

• A. Court of Auditors
• B. Court of Justice of European Union
• C. European Court of Human Rights
• D. European Data Protection Board

Answer: B

NEW QUESTION 15
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

• A. Both govern international transfers of personal data
• B. Both govern the manual processing of personal data
• C. Both only apply to European Union countries
• D. Both require notification of processing activities to a supervisory authority

Answer: D

NEW QUESTION 16
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.
What must Zandelay provide to the supervisory authority during the prior consultation?

• A. An evaluation of the complexity of the intended processing.
• B. An explanation of the purposes and means of the intended processing.
• C. Records showing that customers have explicitly consented to the intended profiling activities.
• D. Certificates that prove Martin’s professional qualities and expert knowledge of data protection law.

Answer: B

NEW QUESTION 17
How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

• A. App developers will expand the amount of data necessary to collect for an app’s functionality.
• B. Users will be given granular types of consent for particular types of processing.
• C. App developers’ responsibilities as data controllers will increase.
• D. Users will see fewer advertisements when using apps.

Answer: B

NEW QUESTION 18
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

• A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
• B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
• C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
• D. Personal data of EU residents being processed by a non-EU business that targets EU customers.

Answer: B

NEW QUESTION 19
Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?

• A. The consent of the employees.
• B. The legal obligation of the employer.
• C. The legitimate interest of the public administration.
• D. The protection of the vital interest of the employees.

Answer: B

NEW QUESTION 20
SCENARIO
Please use the following to answer the next question:
Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that
Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate
protection measures, Dynaroux may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux’s business plan and associated processing activities.
Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?

• A. The company will be undertaking processing activities involving sensitive data categories such as financial and children’s data.
• B. The company employs approximately 650 people and will therefore be carrying out extensive processing activities.
• C. The company plans to undertake profiling of its customers through analysis of their purchasing patterns.
• D. The company intends to shift their business model to rely more heavily on online shopping.

Answer: C

NEW QUESTION 21
......