
The Ultimate IAPP CIPP-E Dumps PDF Review
Achieve The Utmost Performance In CIPP-E Exam Pass Guaranteed
IAPP CIPP-E Certification Exam is an industry-recognized certification that validates the knowledge and expertise of professionals in the field of information privacy. CIPP-E exam is designed to assess the candidate's understanding of the laws and regulations related to data protection in the European Union (EU) and to ensure they can apply these laws to real-world scenarios.
NEW QUESTION # 15
What is the key difference between the European Council and the Council of the European Union?
- A. The Council of the European Union has a degree of legislative power.
- B. The European Council is comprised of the heads of each EU member state.
- C. The European Council focuses primarily on issues involving human rights.
- D. The Council of the European Union is helmed by a president.
Answer: B
Explanation:
Section: (none)
NEW QUESTION # 16
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?
- A. Consulted with the relevant data protection authority about potential privacy violations.
- B. Consulted with the Information Security team to weigh security measures against possible server impacts.
- C. Distributed a more comprehensive notice to employees and received their express consent.
- D. Assessed potential privacy risks by conducting a data protection impact assessment.
Answer: C
NEW QUESTION # 17
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?
- A. Cross-border processing
- B. Data subject rights
- C. Data access disputes
- D. Special categories of data
Answer: A
Explanation:
Explanation/Reference: https://iapp.org/news/a/is-it-possible-to-choose-your-lead-supervisory-authority-under-the-gdpr/
NEW QUESTION # 18
Which of the following is one of the supervisory authority's investigative powers?
- A. To require data controllers to provide them with written notification of all new processing activities.
- B. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
- C. To require that controllers or processors adopt approved data protection certification mechanisms.
- D. To notify the controller or the processor of an alleged infringement of the GDPR.
Answer: D
Explanation:
Reference https://gdpr-info.eu/art-58-gdpr/
NEW QUESTION # 19
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?
- A. The data protection officer must be located in the country where the data controller has its main establishment.
- B. The group of undertakings must be comprised of organizations of similar sizes and functions.
- C. The group of undertakings must obtain approval from a supervisory authority.
- D. The data protection officer must be easily accessible from each establishment where the undertakings are located.
Answer: D
Explanation:
Explanation/Reference: https://www.privacy-regulation.eu/en/article-37-designation-of-the-data-protection-officer- GDPR.htm
NEW QUESTION # 20
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike's data access request?
- A. The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.
- B. The request is to obtain access and information about the purpose of processing his personal data.
- C. The request is to obtain access and erasure of his personal data while keeping his rewards membership.
- D. The request is to obtain access and correct inaccurate personal data in his profile.
Answer: C
NEW QUESTION # 21
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?
- A. Their decision to operate without a data protection officer.
- B. Their failure to provide sufficient security safeguards to Company A's data.
- C. Their omission of data protection provisions in their contract with Company C.
- D. Their engagement of Company C to improve their payroll service.
Answer: D
NEW QUESTION # 22
Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?
- A. The supervisory authority
- B. Company X
- C. Law enforcement
- D. The public
Answer: C
NEW QUESTION # 23
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?
- A. Consistent with Privacy Shield requirements
- B. Inextricably linked in their businesses.
- C. Supervised by the same Data Protection Officer.
- D. Bound by a standard contractual clause.
Answer: B
Explanation:
Reference http://curia.europa.eu/juris/document/document.jsf?docid=138782&doclang=EN
NEW QUESTION # 24
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
- A. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
- B. The processor will be liable to pay compensation to affected data subjects
- C. The processor will be considered to be a controller in respect of the processing concerned
- D. The controller will be liable to pay an administrative fine
Answer: B
Explanation:
Explanation/Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/key-definitions/controllers-and-processors/
NEW QUESTION # 25
Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?
- A. The legal obligation of the employer.
- B. The consent of the employees.
- C. The legitimate interest of the public administration.
- D. The protection of the vital interest of the employees.
Answer: A
Explanation:
Reference https://www.huntonprivacyblog.com/2020/03/25/spanish-dpa-publishes-report-on-data-processing- activities-in-relation-to-covid-19/
NEW QUESTION # 26
When would a data subject NOT be able to exercise the right to portability?
- A. When the data was supplied to the controller by the data subject.
- B. When the processing is based on consent.
- C. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
- D. When the processing is carried out pursuant to a contract with the data subject.
Answer: C
NEW QUESTION # 27
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?
- A. A notice that the consumer's email address will be used for marketing purposes.
- B. A prior opt-in consent for consumers unless they are already customers.
- C. A pre-checked box stating that the consumer agrees to receive email marketing.
- D. No prior permission required, but an opt-out requirement on all emails sent to consumers.
Answer: B
Explanation:
Explanation/Reference: https://www.forbes.com/sites/forbescommunicationscouncil/2018/06/27/what-gdpr-means-for- email-marketing-to-eu-customers/#64020aa8374a
NEW QUESTION # 28
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?
- A. Where the DPIA identifies risks that will require insurance for protecting its business interests.
- B. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
- C. Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce.
- D. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
Answer: C
NEW QUESTION # 29
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?
- A. HRYourWay was ultimately not selected
- B. ProStorage will obtain consent for all transfers.
- C. ProStorage can rely on its Binding Corporate Rules
- D. HRYourWay is not located in a third country.
Answer: B
NEW QUESTION # 30
What is the main task of the European Data Protection Board?
- A. To ensure consistent application of the GDPR.
- B. To proactively prevent disputes between national supervisory authorities.
- C. To assess adequacy of data protection in third countries
- D. To publish guidelines tor data subjects on how to property enforce their rights
Answer: A
NEW QUESTION # 31
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
- A. The requirements specified that data must be held within the EU.
- B. The requirements were financially burdensome to EU businesses.
- C. The requirements affected individuals without exception.
- D. The requirements had limitations on how national authorities could use data.
Answer: D
Explanation:
Reference:
%20the%20Grand,proportionality%20in%20forging%20the%20Directive.
NEW QUESTION # 32
What is the MAIN reason GDPR Article 4(22) establishes the concept of the "concerned supervisory authority"?
- A. To give corporations a choice about who their supervisory authority will be.
- B. To encourage the consistency of local data processing activity.
- C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
- D. To ensure that the interests of individuals residing outside the lead authority's jurisdiction are represented.
Answer: B
NEW QUESTION # 33
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?
- A. Where the customer's Internet service provider is located
- B. Where the technology supporting the website is located
- C. Where the decisions about processing are made
- D. Where the website is accessed
Answer: A
Explanation:
Reference https://www.ohiobar.org/member-tools-benefits/publications/Ohio-Lawyer/the-european-general- data-protection-regulation-gdpr/
NEW QUESTION # 34
What should a controller do after a data subject opts out of a direct marketing activity?
- A. Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.
- B. Refrain from processing personal data relating to the data subject for the relevant type of communication.
- C. Without undue delay, provide information to the data subject on the action that will be taken.
- D. Without exception, securely delete all personal data relating to the data subject.
Answer: B
NEW QUESTION # 35
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?
- A. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
- B. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
- C. Employees must sign an ad hoc contractual agreement each time personal data is exported.
- D. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
Answer: B
NEW QUESTION # 36
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?
- A. Categories of recipients to whom the personal data have been disclosed.
- B. Retention periods for erasure and deletion of categories of personal data.
- C. Data inventory or data mapping exercises that have been conducted.
- D. Incidents of personal data breaches, whether disclosed or not.
Answer: B
Explanation:
Section: (none)
NEW QUESTION # 37
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?
- A. When the personal data is held by the controller but not processed for further purposes
- B. When the personal data is processed by an individual only for their household activities
- C. When the personal data is processed only in non-electronic form
- D. When the personal data is collected and then pseudonymised by the controller
Answer: D
NEW QUESTION # 38
......
Achive your Success with Latest IAPP CIPP-E Exam: https://www.examcollectionpass.com/IAPP/CIPP-E-practice-exam-dumps.html
The CIPP-E Exam Test For Brief Preparation: https://drive.google.com/open?id=1748crn8zklziBJrJbR2HyFfMLpEaSROy