• Home
  • Articles
  • [Q31-Q47] IAPP CIPP-C Practice Verified Answers - Pass Your Exams For Sure! [2021]

[Q31-Q47] IAPP CIPP-C Practice Verified Answers - Pass Your Exams For Sure! [2021]

Share

IAPP CIPP-C Practice Verified Answers - Pass Your Exams For Sure! [2021]

Valid Way To Pass Certified Information Privacy Professional's  CIPP-C Exam

NEW QUESTION 31
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

  • A. Background checks on employees could be performed only under prior notice to all employees.
  • B. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.
  • C. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.
  • D. Background checks on European employees will stem from data protection and employment law, which can vary between member states.

Answer: D

 

NEW QUESTION 32
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years.
Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles.
Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs' handling of customer personal data?

  • A. The data is sensitive.
  • B. The data is uncategorized.
  • C. The data is being processed via a new means.
  • D. The data is being used for a new purpose.

Answer: C

 

NEW QUESTION 33
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system?

  • A. Hashing
  • B. Asymmetric Encryption
  • C. Symmetric Encryption
  • D. Obfuscation

Answer: B

 

NEW QUESTION 34
How is the retention of communications traffic data for law enforcement purposes addressed by Canadian data protection law?

  • A. The Data Retention Directive's annulment makes such data retention now permissible.
  • B. The ePrivacy Directive allows individual to engage in such data retention.
  • C. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
  • D. The ePrivacy Directive harmonizes rules concerning such data retention.

Answer: C

 

NEW QUESTION 35
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

  • A. Assessed potential privacy risks by conducting a data protection impact assessment.
  • B. Consulted with the relevant data protection authority about potential privacy violations.
  • C. Distributed a more comprehensive notice to employees and received their express consent.
  • D. Consulted with the Information Security team to weigh security measures against possible server impacts.

Answer: C

 

NEW QUESTION 36
According to the GDPR, how is pseudonymous personal data defined?

  • A. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
  • B. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
  • C. Data that has been encrypted or is subject to other technical safeguards.
  • D. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Answer: B

 

NEW QUESTION 37
What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

  • A. An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.
  • B. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
  • C. An obligation on both parties to report any serious personal data breach to the supervisory authority.
  • D. An obligation on the processor to report any personal data breach to the controller within 72 hours.

Answer: C

 

NEW QUESTION 38
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

  • A. Provide only general information about its processing activities and offer a toll-free number for more information.
  • B. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.
  • C. Identify uses of data in a privacy notice mailed to the data subject.
  • D. Use a layered privacy notice on its website and in its email communications.

Answer: C

 

NEW QUESTION 39
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger.
Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  • A. Verify that the purpose of the request from the customer is in line with the GDPR.
  • B. Verify that the request is applicable to the data collected before the GDPR entered into force.
  • C. Verify that the identity of the customer can be proven by other means.
  • D. Verify that the personal data has not already been sent to the customer.

Answer: B

 

NEW QUESTION 40
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

  • A. A notice on a corporate blog
  • B. A prominent advertisement in print media
  • C. A postal notification
  • D. A direct electronic message

Answer: A

 

NEW QUESTION 41
In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

  • A. The type of security safeguards used to protect the data.
  • B. The measures being taken to address the breach.
  • C. The contact details of the appropriate data protection officer.
  • D. The predicted consequences of the breach.

Answer: C

 

NEW QUESTION 42
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within 40 days of receipt
  • B. Within one month of receipt, which may be extended by up to an additional month
  • C. Within 40 days of receipt, which may be extended by up to 40 additional days
  • D. Within one month of receipt, which may be extended by an additional two months

Answer: B

 

NEW QUESTION 43
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Under the GDPR, Liem and EcoMick's contract with MarketIQ must include all of the following provisions EXCEPT?

  • A. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
  • B. Returning or deleting personal data after the end of the provision of the services.
  • C. Processing the personal data upon documented instructions regarding data transfers outside of the EEA.
  • D. Notification regarding third party requests for access to Liem and EcoMick's personal data.

Answer: A

 

NEW QUESTION 44
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

  • A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
  • B. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
  • C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
  • D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: C

Explanation:
Explanation
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

 

NEW QUESTION 45
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

  • A. Only as a last resort and when interpreted restrictively.
  • B. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
  • C. When it has been determined that adequate protection can be performed.
  • D. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.

Answer: C

 

NEW QUESTION 46
Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report,
''Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers"?

  • A. Do Not Track
  • B. International data transfers
  • C. Promoting enforceable self-regulatory codes
  • D. Large platform providers

Answer: B

 

NEW QUESTION 47
......

IAPP CIPP-C Pre-Exam Practice Tests | VCEDumps: https://www.vcedumps.com/CIPP-C-examcollection.html

CIPP-C practice test questions, answers, explanations: https://drive.google.com/open?id=15eUD0mJl4fqy7ia7Hjau_kBCl1vftCjz

Related Articles

more
IAPP CIPP-C Certification Practice Exam

VCEDumps is a joint venture for provding vce files free and valid dumps pdf. We guarantee VCEDumps dumps pdf help you pass exam 100% for sure. Not Valid, Full Refund!

Latest VCE Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 VCEDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimers:
VCEDumps material do not contain actual Business Architecture Guild Exam Questions or materials.
SAP, Microsoft, Google, Amazon, Certiport, Qualtrics are Registered Trade Mark.
VCEDumps website is not related to, affiliated with, endorsed or authorized by Amazon. Trademarks, certification & product names are used for reference only and belong to Amazon.
VCEDumps offers only Probable Questions and Answers. VCEDumps offer learning materials and practice tests created by subject matter experts to assist and help learner prepare for those exams.
All Certification Brands used on the website are owned by the respective brand owners. VCEDumps does not own or claim any ownership on any of the brands. The site www.vcedumps.com is in no way affiliated with SAP SE.