PDF Download Free of CIPP-E Valid Practice Test Questions [Q134-Q159]

PDF Download Free of CIPP-E Valid Practice Test Questions

CIPP-E Test Engine files, CIPP-E Dumps PDF

Achieving CIPP-E certification is a significant achievement for privacy professionals who are looking to advance their careers. It demonstrates a high level of knowledge and expertise in the field of data protection and can open up new opportunities for career progression. Additionally, maintaining the certification requires ongoing education and training, ensuring that certified professionals stay up-to-date with the latest developments in data protection laws and regulations.

 

NEW QUESTION # 134
With the issue of consent, the GDPR allows member states some choice regarding what?

• A. The age at which children must be required to obtain parental consent
• B. The timeframe in which data subjects are allowed to withdraw their consent
• C. The circumstances in which silence or inactivity may constitute consent
• D. The mechanisms through which consent may be communicated

Answer: A

Explanation:
Explanation/Reference: https://gdpr-info.eu/issues/consent/

NEW QUESTION # 135
What is the key difference between the European Council and the Council of the European Union?

• A. The European Council is comprised of the heads of each EU member state.
• B. The Council of the European Union has a degree of legislative power.
• C. The European Council focuses primarily on issues involving human rights.
• D. The Council of the European Union is helmed by a president.

Answer: A

Explanation:
Section: (none)
Explanation
Reference https://www.quora.com/What-is-the-difference-between-the-European-Council-the-Council-of-the- European-Union-and-the-Council-of-Europe

NEW QUESTION # 136
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

• A. The establishment of a list of legitimate data processing criteria
• B. The creation of legally binding data protection principles
• C. The restriction of cross-border data flow
• D. The synchronization of approaches to data protection

Answer: D

NEW QUESTION # 137
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA.
Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

• A. The Data Protection Authority.
• B. The European Commission.
• C. The European Data Protection Board.
• D. The Court of Justice of the European Union.

Answer: A

NEW QUESTION # 138
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

• A. The European Council
• B. The European Commission
• C. The European Parliament
• D. The Article 29 Working Party

Answer: B

Explanation:
According to Article 45 of the GDPR, the European Commission has the power to determine, on the basis of an assessment, whether a non-EU country, a territory or a sector within that country, or an international organisation ensures an adequate level of data protection. This means that the data protection rules and standards in that country or organisation are equivalent to those in the EU. The effect of an adequacy decision is that personal data can flow freely from the EU to that country or organisation without any further safeguards or authorisations. The European Commission has adopted adequacy decisions for several countries and organisations, such as Japan, Canada, and the EU-US Data Privacy Framework. Reference: Data protection adequacy for non-EU countries, Adequate Level of Protection

NEW QUESTION # 139
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

• A. The Council of the European Union.
• B. Approved data controllers.
• C. The European Data Protection Supervisor.
• D. National data protection authorities.

Answer: D

Explanation:
According to Article 46(2) of the GDPR, standard contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) can be used as a legal basis for data transfers to third countries12. This means that, in addition to the European Commission, national data protection authorities can adopt standard contractual clauses, provided that they meet the conditions and requirements set out in the GDPR and obtain the approval of the Commission. The other options are not correct, as approved data controllers, the Council of the European Union and the European Data Protection Supervisor do not have the power to adopt standard contractual clauses under the GDPR. Reference: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Standard Contractual Clauses (SCC) - European Commission I hope this helps. If you have any other questions, please let me know.

NEW QUESTION # 140
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

• A. If the processing is to be performed by a third-party vendor
• B. If the processing involves data that is considered personal data
• C. If the processing of the data is done through automated means
• D. If the processing is used to predict the behavior of data subjects

Answer: D

NEW QUESTION # 141
In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

• A. When personal data is being transferred outside of the EEA.
• B. When the controller is required to have a Data Protection Officer.
• C. When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.
• D. When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

Answer: D

Explanation:
According to the GDPR, a data protection impact assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. A DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. The GDPR provides a list of examples of processing operations that require a DPIA, such as:
Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
Systematic monitoring of a publicly accessible area on a large scale.
Therefore, an example of a scenario where a controller is most likely required to undertake a DPIA is when personal data is being collected and combined with other personal data to profile the creditworthiness of individuals, as this involves a systematic and extensive evaluation of personal aspects based on automated processing and profiling, and may have significant effects on the individuals. The other scenarios are not necessarily indicative of a high risk to the rights and freedoms of natural persons, and do not fall under the examples of processing operations that require a DPIA provided by the GDPR. Reference: Free CIPP/E Study Guide, page 37; CIPP/E Certification, page 18; GDPR, Article 35, Recital 91.
Reference:
%20the%20General,and%20freedoms%20of%20natural%20persons%27.

NEW QUESTION # 142
How does the GDPR now define "processing"?

• A. Any operation or set of operations performed on personal data or on sets of personal data.
• B. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
• C. Any act involving the collecting and recording of personal data.
• D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Answer: A

Explanation:
Reference https://gdpr-info.eu/issues/processing/

NEW QUESTION # 143
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

• A. The group of undertakings must be comprised of organizations of similar sizes and functions.
• B. The group of undertakings must obtain approval from a supervisory authority.
• C. The data protection officer must be easily accessible from each establishment where the undertakings are located.
• D. The data protection officer must be located in the country where the data controller has its main establishment.

Answer: C

Explanation:
According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12. This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34. The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO. Reference: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What's different about a group data protection officer?, Data Protection Officers: What US Companies Need to Know - Cooley

NEW QUESTION # 144
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

• A. The establishment of a list of legitimate data processing criteria
• B. The creation of legally binding data protection principles
• C. The restriction of cross-border data flow
• D. The synchronization of approaches to data protection

Answer: D

Explanation:
Reference https://ico.org.uk/media/about-the-ico/documents/1042349/review-of-eu-dp-directive.pdf (99)

NEW QUESTION # 145
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

• A. Liem and EcoMick are joint controllers because they carry out joint marketing activities.
• B. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.
• C. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
• D. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.

Answer: A

Explanation:
According to the UK GDPR, consent means "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" 1. One of the requirements for consent to be informed is that the data subject should be aware of the identity of the controller who is processing the personal data 2. In this scenario, Ms. Iman only gave consent to Liem to process her personal data for marketing purposes, but she was not informed that JaphSoft, a third-party controller, would also access and process her personal data. Therefore, her consent was not valid in regard to JaphSoft, as she did not know who was processing her personal data and for what purposes. Reference:
UK GDPR Article 4 (11)
UK GDPR Recital 42

NEW QUESTION # 146
Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?

• A. A natural person in the course of processing purely personal or household data on behalf of a spouse who is beyond the age of majority.
• B. A natural person in the course of a large-scale but purely personal or household activity.
• C. A natural person processing data foe a small-scale, purely personal or household activity.
• D. A natural person in the course of activity conducted purely tor a personally-owned sole proprietorship.

Answer: B

Explanation:
The material scope of the GDPR is outlined in Article 21. The Regulation applies to 'processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.'1 However, the Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity1. This exemption is meant to protect the privacy of individuals in their private sphere and to exclude activities that have no connection with a professional or commercial activity2. The exemption covers activities such as correspondence, social networking, online publication of photos or videos, and the use of online services for personal purposes2. However, the exemption does not apply if the processing of personal data affects the rights and freedoms of others, such as when the data is made accessible to an indefinite number of people3. Therefore, the processing of personal data by a natural person in the course of a large-scale but purely personal or household activity is not exempt from the material scope of the GDPR, as it may have an impact on the privacy of other individuals. The other options are exempt from the material scope of the GDPR, as they involve small-scale, purely personal or household activities that do not affect the rights and freedoms of others. Reference: 1: Article 2 of the GDPR2: Recital 18 of the GDPR3: CJEU, Case C-101/01, Lindqvist, 2003.

NEW QUESTION # 147
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

• A. Where an individual's details have been obtained from a bought-in marketing list.
• B. When an individual has not consented to the marketing.
• C. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
• D. When an individual's details are obtained from their inquiries about buying a product.

Answer: D

NEW QUESTION # 148
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

• A. ProStorage can rely on its Binding Corporate Rules
• B. HRYourWay is not located in a third country.
• C. HRYourWay was ultimately not selected
• D. ProStorage will obtain consent for all transfers.

Answer: D

NEW QUESTION # 149
According to the GDPR, how is pseudonymous personal data defined?

• A. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
• B. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
• C. Data that has been encrypted or is subject to other technical safeguards.
• D. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

Answer: A

Explanation:
Explanation/Reference: https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/

NEW QUESTION # 150
Select the answer below that accurately completes the following:
"The right to compensation and liability under the GDPR...

• A. ...can only be exercised against the data controller, even if a data processor was involved in the same processing."
• B. ...is limited to a maximum amount of EUR 20 million per event of damage or loss."
• C. ...provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage."
• D. ...precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing."

Answer: D

Explanation:
Reference https://gdpr-info.eu/art-82-gdpr/

NEW QUESTION # 151
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

• A. Consulted with the Information Security team to weigh security measures against possible server impacts.
• B. Consulted with the relevant data protection authority about potential privacy violations.
• C. Assessed potential privacy risks by conducting a data protection impact assessment.
• D. Distributed a more comprehensive notice to employees and received their express consent.

Answer: C

Explanation:
A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals1. The GDPR requires controllers to conduct a DPIA before starting such processing activities1. In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees' computers, which could affect their privacy and other fundamental rights2. A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities12. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA. Reference: Data Protection Impact Assessment (DPIA) - GDPR.eu, Data protection impact assessments | ICO

NEW QUESTION # 152
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

• A. The local Data Protection Supervisory Authorities.
• B. The Member States.
• C. The European Data Protection Board.
• D. The EU Commission.

Answer: B

NEW QUESTION # 153
To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?

• A. Compliant with the security principle, because the data base is password-protected.
• B. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.
• C. Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.
• D. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.

Answer: D

NEW QUESTION # 154
SCENARIO
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

• A. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
• B. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.
• C. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.
• D. Louis does not have the right to object to the use of his data because he previously consented to it.

Answer: A

Explanation:
Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
The GDPR states that "where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing" and that "where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."3 This right applies regardless of whether the data subject has previously consented to the use of his or her data, or whether the data are required for a legal claim or a legitimate interest. The data subject must be informed of this right clearly and separately from any other information at the time of the first communication with him or her, and must be provided with an easy way to exercise it.2 Therefore, Louis can object to the use of his data by Bedrock and Accidentable for direct marketing purposes, and they must stop processing his data for such purposes as soon as they receive his objection. Louis can also withdraw his consent for any other processing of his data that he has previously agreed to, such as sharing his data with Bedrock's affiliates.4

NEW QUESTION # 155
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization.
The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

• A. Consulted with the Information Security team to weigh security measures against possible server impacts.
• B. Assessed potential privacy risks by conducting a data protection impact assessment.
• C. Consulted with the relevant data protection authority about potential privacy violations.
• D. Distributed a more comprehensive notice to employees and received their express consent.

Answer: D

NEW QUESTION # 156
How does the GDPR now define "processing"?

• A. Any operation or set of operations performed on personal data or on sets of personal data.
• B. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
• C. Any act involving the collecting and recording of personal data.
• D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Answer: A

NEW QUESTION # 157
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA.
Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice's instruction to the company's IT Department violated Article 5 of the GDPR because the company failed to first do what?

• A. Send out consent forms to all of its employees.
• B. Minimize the amount of data collected for the lawsuit.
• C. Encrypt the data from all of its employees.
• D. Inform all of its employees about the lawsuit.

Answer: B

NEW QUESTION # 158
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

• A. Identify uses of data in a privacy notice mailed to the data subject.
• B. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.
• C. Provide only general information about its processing activities and offer a toll-free number for more information.
• D. Use a layered privacy notice on its website and in its email communications.

Answer: A

Explanation:
Reference https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-bureau- consumer-protection-preliminary-ftc-staff-report-protecting-consumer/101201privacyreport.pdf

NEW QUESTION # 159
......

Pass Your Certified Information Privacy Professional CIPP-E Exam on Apr 23, 2024 with 270 Questions: https://www.actual4labs.com/IAPP/CIPP-E-actual-exam-dumps.html

Latest IAPP CIPP-E PDF and Dumps (2024) Free Exam Questions Answers: https://drive.google.com/open?id=1_fwZ7mVolUUPa6lxJV6Y6nPCaAQLeiPL