
Master 2021 Latest The Questions Certified Information Privacy Professional and Pass CIPP-E Real Exam!
Penetration testers simulate CIPP-E exam PDF
NEW QUESTION 44
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
- A. The data subject already has information regarding how his data will be used
- B. Third-party data would be disclosed by providing such information to the data subject
- C. The processing of the data subject's data is protected by appropriate technical measures
- D. The provision of such information to the data subject would be too problematic
Answer: A
NEW QUESTION 45
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box' Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?
- A. The level of security within the website.
- B. The contract with the third-party advertising network.
- C. The need to have the contents of the advertising approved.
Section: (none)
Explanation - D. The lack of the option to opt in.
Answer: D
NEW QUESTION 46
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?
- A. When emailing a customer to announce that his recent order should arrive earlier than expected.
- B. When calling a potential customer to notify her of an upcoming product sale.
- C. When creating an untargeted pop-up ad on a website.
- D. When paying a search engine company to give prominence to certain products and services within specific search results.
Answer: C
NEW QUESTION 47
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?
- A. The European Data Protection Supervisor.
- B. National data protection authorities.
- C. Approved data controllers.
- D. The Council of the European Union.
Answer: C
NEW QUESTION 48
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?
- A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
- B. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
- C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
- D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".
Answer: C
Explanation:
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)
NEW QUESTION 49
If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?
- A. Decision 2001/497/EC (EU controller to non-EU or EEA controller).
- B. Decision 2004/915/EC (EU controller to non-EU or EEA controller).
- C. Decision 2007/72/EC (EU processor to non-EU or EEA controller).
- D. Decision 2010/87/EU (Non-EU or EEA processor from EU controller).
Answer: B
NEW QUESTION 50
Which of the following would require designating a data protection officer?
- A. Processing is carried out by an organization employing 250 persons or more.
- B. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
- C. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
- D. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
Answer: C
Explanation:
Explanation/Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/data-protection-officers/
NEW QUESTION 51
An entity's website stores text files on EU users' computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?
- A. E-Commerce Directive 2000/31/EC.
- B. E-Privacy Directive 2002/58/EC.
- C. General Data Protection Regulation 2016/679.
- D. Data Protection Directive 95/46/EC.
Answer: D
NEW QUESTION 52
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your dat a. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.) First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1. Jurisdiction. [...]
2. Applicable law. [...]
3. Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?
- A. Cease processing any data collected through use of the app.
- B. Erase any data collected from the time the app was first used.
- C. Provide the user with logs of data collected through use of the app.
- D. Inform any third parties of the user's withdrawal of consent.
Answer: A
NEW QUESTION 53
A U.S. company's website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?
- A. An affiliate office is located in France but the processing is in the U.S.
- B. The website places cookies to monitor the EU website user behavior.
- C. The widgets are offered in EU and priced in euro.
- D. The website is in English and French, and is accessible in France.
Answer: D
NEW QUESTION 54
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
- A. Categories of processing carried out on behalf of each controller for which the processor is acting.
- B. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
- C. Name and contact details of each controller on behalf of which the processor is acting.
- D. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
Answer: D
NEW QUESTION 55
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?
- A. Because of the misrepresentation of personal data as an endorsement.
- B. Because of the juxtaposition of the quotation with others' quotations.
- C. Because of the use of personal data outside of the social networking service (SNS).
- D. Because of the misapplication of the household exception in relation to a social networking service (SNS).
Answer: D
NEW QUESTION 56
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?
- A. If the data becomes necessary to defend Accidentable's legal rights.
- B. If Accidentable also uses the data to conduct public health research.
- C. If the accuracy of the data is not an aspect that Louis is disputing.
- D. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
Answer: D
NEW QUESTION 57
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?
- A. Assessed potential privacy risks by conducting a data protection impact assessment.
- B. Consulted with the relevant data protection authority about potential privacy violations.
- C. Distributed a more comprehensive notice to employees and received their express consent.
- D. Consulted with the Information Security team to weigh security measures against possible server impacts.
Answer: C
NEW QUESTION 58
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?
- A. More information about what students have been told and how the research will be used.
- B. More information about the algorithm Frank used to mask student numbers.
- C. More information about the extent of the information loss.
- D. More information about Frank's data protection training.
Answer: A
NEW QUESTION 59
A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?
- A. If the data protection officer lacks ISO 27001 auditor certification.
- B. If the data protection officer receives instructions from the data controller.
- C. If the data protection officer also manages the marketing budget.
- D. If the data protection officer is provided by the data processor.
Answer: B
NEW QUESTION 60
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?
- A. More information about what students have been told and how the research will be used.
- B. More information about the algorithm Frank used to mask student numbers.
- C. More information about the extent of the information loss.
- D. More information about Frank's data protection training.
Answer: A
NEW QUESTION 61
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?
- A. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
- B. An explanation of the security measures used when personal data is transferred to a third party.
- C. An efficient means of providing written consent in member states where they are required to do so.
- D. A privacy notice containing brief information whilst offering access to further detail.
Answer: D
Explanation:
Explanation
NEW QUESTION 62
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
- A. The synchronization of approaches to data protection
- B. The creation of legally binding data protection principles
- C. The establishment of a list of legitimate data processing criteria
- D. The restriction of cross-border data flow
Answer: D
NEW QUESTION 63
Company X has entrusted the processing of their payroll data to Provider Y.
Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?
- A. The public
- B. Company X
- C. The supervisory authority
- D. Law enforcement
Answer: D
NEW QUESTION 64
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?
- A. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
- B. An explanation of the security measures used when personal data is transferred to a third party.
- C. An efficient means of providing written consent in member states where they are required to do so.
- D. A privacy notice containing brief information whilst offering access to further detail.
Answer: D
NEW QUESTION 65
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
- A. To create and maintain records of processing activities.
- B. To create procedures for notification of personal data breaches to competent supervisory authorities.
- C. To conduct Privacy Impact Assessments on behalf of the controller or processor.
- D. To monitor compliance with other local or European data protection provisions.
Answer: C
NEW QUESTION 66
......
Penetration testers simulate CIPP-E exam: https://www.vcedumps.com/CIPP-E-examcollection.html
Bestselling On-The-Job Reference Exam Questions: https://drive.google.com/open?id=16Q8VHrsGyMGqj6refKN3jipRCiWG9ywp
