This page was exported from Latest Exam Prep [ http://certify.vceprep.com ] Export date:Sat Sep 21 11:36:48 2024 / +0000 GMT ___________________________________________________ Title: [Apr 12, 2022] Passing Key To Getting CIPP-E Certified Exam Engine PDF [Q76-Q97] --------------------------------------------------- [Apr 12, 2022] Passing Key To Getting CIPP-E Certified Exam Engine PDF CIPP-E Exam Dumps Pass with Updated Apr-2022 Tests Dumps NEW QUESTION 76Read the following steps:* Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices* Monitor and analyze the apps and devices for compliance* Manage application life cycles* Monitor data sharingAn organization should perform these steps to do which of the following?  Pursue a GDPR-compliant Privacy by Design process.  Institute a GDPR-compliant employee monitoring process.  Maintain a secure Bring Your Own Device (BYOD) program.  Ensure cloud vendors are complying with internal data use policies. NEW QUESTION 77SCENARIOPlease use the following to answer the next question:Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.What must Zandelay provide to the supervisory authority during the prior consultation?  An evaluation of the complexity of the intended processing.  An explanation of the purposes and means of the intended processing.  Records showing that customers have explicitly consented to the intended profiling activities.  Certificates that prove Martin’s professional qualities and expert knowledge of data protection law. NEW QUESTION 78What was the aim of the European Data Protection Directive 95/46/EC?  To harmonize the implementation of the European Convention of Human Rights across all member states.  To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.  To completely prevent the transfer of personal data out of the European Union.  To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another. NEW QUESTION 79Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?  Court of Auditors  Court of Justice of European Union  European Court of Human Rights  European Data Protection Board NEW QUESTION 80Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b), what is the impact of a member state’s interpretation of the word “incompatible”?  It dictates the level of security a processor must follow when using and storing personal data for two different purposes.  It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.  It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.  It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose. NEW QUESTION 81According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?  As soon as possible after obtaining the personal data.  As soon as possible after the first communication with the data subject.  Within a reasonable period after obtaining the personal data, but no later than one month.  Within a reasonable period after obtaining the personal data, but no later than eight weeks. NEW QUESTION 82In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?  A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.  A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.  A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.  A railway operator who plans to evaluate the same video surveillance in all the train stations of his company. NEW QUESTION 83Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?  Advertisements passively displayed on a website.  The use of cookies to collect data about an individual.  A text message to individuals from a company offering concert tickets for sale.  An email from a retail outlet promoting a sale to one of their previous customer. NEW QUESTION 84SCENARIOPlease use the following to answer the next question:WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the dat a. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.” What must the contract between WonderKids and the hosting service provider contain?  The requirement to implement technical and organizational measures to protect the data.  Controller-to-controller model contract clauses.  Audit rights for the data subjects.  A non-disclosure agreement. NEW QUESTION 85Which of the following is an example of direct marketing that would be subject to European data protection laws?  An updated privacy notice sent to an individual’s personal email address.  A charity fundraising event notice sent to an individual at her business address.  A service outage notification provided to an individual by recorded telephone message.  A revision of contract terms conveyed to an individual by SMS from a marketing organization. NEW QUESTION 86SCENARIOPlease use the following to answer the next question:Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago.Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Erbium must have gotten his information from ABC.Jason has also been receiving an increased amount of marketing information from ABC, trying to sell him their full range of their insurance policies.Perturbed by this, Jason has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than ABC, even though he has been a loyal customer for many years. When his ABC policy comes up for renewal, he decides to switch to Xentron Insurance.In order to activate his new insurance policy, Jason needs to supply Xentron with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask ABC to transfer his information directly to Xentron. He also takes this opportunity to ask ABC to stop using his personal data for marketing purposes.ABC supplies Jason with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Jason it cannot transfer his data directly to Xentron at this is not technically feasible. ABC also explains that Jason’s contract included a provision whereby Jason agreed that his data could be used for marketing purposes; according to ABC, it is too late for Jason to change his mind about this. It angers Jason when he recalls the wording of the contract, which was filled with legal jargon and very confusing.In the meantime, Jason is still receiving unwanted calls from Erbium Insurance. He writes to Erbium to ask for the name of the organization that supplied his details to them. He warns Erbium that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.Erbium’s response letter confirms Jason’s suspicions. Erbium is ABC’s wholly owned subsidiary, and they received information about Jason’s accident from ABC shortly after Jason submitted his accident claim. Erbium assures Jason that there has been no breach of the GDPR, as Jason’s contract included a provision in which he agreed to share his information with ABC’s affiliates for business purposes.Jason is disgusted by the way in which he has been treated by ABC, and writes to them insisting that all his information be erased from their computer system.After Jason has exercised his right to restrict the use of his data, under what conditions would Erbium have grounds for refusing to comply?  If Erbium is entitled to use of the data as an affiliate of ABC.  If Erbium also uses the data to conduct public health research.  If the data becomes necessary to defend Erbium’s legal rights.  If the accuracy of the data is not an aspect that Jason is disputing. NEW QUESTION 87A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?  If obtaining consent is deemed to involve disproportionate effort.  If obtaining consent is deemed voluntary by local legislation.  If the company limits the footage to data subjects solely of legal age.  If the company’s status as a documentary provider allows it to claim legitimate interest. NEW QUESTION 88A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper’s website. Unfortunately, the prank is the top search result when a user searches on the victim’s name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?  Notify the newspaper that its article it is delisting the article.  Fully erase the URL to the content, as opposed to delist which is mainly based on data subject’s name.  Identify other controllers who are processing the same information and inform them of the delisting request.  Prevent the article from being listed in search results no matter what search terms are entered into the search engine. NEW QUESTION 89Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?  The European Commission can adopt an adequacy decision for individual companies.  The European Commission can adopt, repeal or amend an existing adequacy decision.  EU member states are vested with the power to accept or reject a European Commission adequacy decision.  To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation. NEW QUESTION 90SCENARIOPlease use the following to answer the next question:Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.Under their security policy, the University encrypts all of its personal data records in transit and at rest.In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.Which of the University’s records does Anna NOT have to include in her record of processing activities?  Student records  Staff and alumni records  Frank’s performance database  Department for Education records NEW QUESTION 91Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?  The European Parliament  The European Commission  The Article 29 Working Party  The European Council NEW QUESTION 92SCENARIOPlease use the following to answer the next question:BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?  If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy.  If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.  If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities.  If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities. NEW QUESTION 93Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?  The group of undertakings must obtain approval from a supervisory authority.  The group of undertakings must be comprised of organizations of similar sizes and functions.  The data protection officer must be located in the country where the data controller has its main establishment.  The data protection officer must be easily accessible from each establishment where the undertakings are located. NEW QUESTION 94  She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company  This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?  Hiring companies whose measures are consistent with recommendations of accrediting bodies.  Requesting advice and technical support from Company A’s IT team.  Avoiding the use of another company’s data to improve their own services.  Vetting companies’ measures with the appropriate supervisory authority. Explanation/Reference: https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/NEW QUESTION 95With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?  If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.  When it has been determined that adequate protection can be performed.  Only if the Data Protection Impact Assessment (DPIA) shows low risk.  Only as a last resort and when interpreted restrictively. NEW QUESTION 96An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?  Notify affected individuals that their data was unavailable for a period of time.  Document the loss of availability to demonstrate accountability  Notify the supervisory authority about the loss of availability  Conduct a thorough audit of all security systems Explanation/Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwihmsidxtTqAhXvQUEAHXRaAdYQFjABegQIARAB& url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm%3Fdoc_id%3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (5)NEW QUESTION 97Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?  The obligation of companies to declare data breaches.  The requirement to demonstrate compliance to a supervisory authority.  The necessity of the bulk collection of personal data by the government.  Loading … CIPP-E exam questions for practice in 2022 Updated 208 Questions: https://www.vceprep.com/CIPP-E-latest-vce-prep.html --------------------------------------------------- Images: https://certify.vceprep.com/wp-content/plugins/watu/loading.gif https://certify.vceprep.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2022-04-12 05:49:07 Post date GMT: 2022-04-12 05:49:07 Post modified date: 2022-04-12 05:49:07 Post modified date GMT: 2022-04-12 05:49:07