Try Before You Buy

Download a free sample of any of our exam questions and answers

  • 24/7 customer support, Secure shopping site
  • Free One year updates to match real exam scenarios
  • If you failed your exam after buying our products we will refund the full amount back to you.

Free IAPP CIPP-E Exam Questions & Answer from Training Expert BraindumpsIT [Q29-Q54]

Share

Free IAPP CIPP-E Exam Questions & Answer from Training Expert BraindumpsIT

Top IAPP CIPP-E Courses Online


Target Audience

The CIPP/E certification and its exam are intended for anyone who wants to demonstrate competency in the General Data Protection Regulation (GDPR) and other legislation associated with the protection of the European Union citizens. This certificate is also suitable for any individual who is currently involved in using, processing, and maintaining personal data.


IAPP CIPP/E Exam Registration

In order to apply for the IAPP CIPP/E Exam, You have to follow these steps

Step 1: Visit the IAPP store Website

Step 2: Search for the CIPP/E Exam and purchase the exam by making payment using credit/debit card.

Step 3: Through Pearson VUE’s scheduling platform, you will be able to choose a test center, time and date.


How much IAPP CIPP/E Exam Cost

  • The price of the IAPP CIPP/E Exam is $550.

 

NEW QUESTION 29
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

  • A. When the personal data is processed only in non-electronic form
  • B. When the personal data is processed by an individual only for their household activities
  • C. When the personal data is collected and then pseudonymised by the controller
  • D. When the personal data is held by the controller but not processed for further purposes

Answer: C

Explanation:
Explanation/Reference: https://gdpr-info.eu/art-6-gdpr/

 

NEW QUESTION 30
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

  • A. If the accuracy of the data is not an aspect that Louis is disputing.
  • B. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
  • C. If Accidentable also uses the data to conduct public health research.
  • D. If the data becomes necessary to defend Accidentable's legal rights.

Answer: B

 

NEW QUESTION 31
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention
108?

  • A. Both govern the manual processing of personal data
  • B. Both govern international transfers of personal data
  • C. Both only apply to European Union countries
  • D. Both require notification of processing activities to a supervisory authority

Answer: D

Explanation:
Explanation/Reference: https://rm.coe.int/090000168093b851

 

NEW QUESTION 32
In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

  • A. When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.
  • B. When personal data is being transferred outside of the EEA.
  • C. When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.
  • D. When the controller is required to have a Data Protection Officer.

Answer: D

Explanation:
Reference:
%20the%20General,and%20freedoms%20of%20natural%20persons%27.

 

NEW QUESTION 33
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed questionnaires, which could be used to tailor their preferences to specific travel destinations.
TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the questionnaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick.
Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

  • A. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.
  • B. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
  • C. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
  • D. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.

Answer: D

 

NEW QUESTION 34
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

  • A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
  • B. Personal data of EU residents being processed by a non-EU business that targets EU customers.
  • C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  • D. Personal data of EU citizens being processed by a controller or processor based outside the EU.

Answer: D

 

NEW QUESTION 35
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

  • A. When a legitimate business interest makes obtaining consent impractical.
  • B. When the data is to be processed for market research.
  • C. When providing preventive or counselling services to the child.
  • D. When providing the child with materials purely for educational use.

Answer: C

 

NEW QUESTION 36
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. A prior opt-in consent for consumers unless they are already customers.
  • B. A pre-checked box stating that the consumer agrees to receive email marketing.
  • C. A notice that the consumer's email address will be used for marketing purposes.
  • D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

Answer: A

 

NEW QUESTION 37
How does the GDPR now define "processing"?

  • A. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
  • B. Any operation or set of operations performed by automated means on personal data or on sets of personal data.
  • C. Any operation or set of operations performed on personal data or on sets of personal data.
  • D. Any act involving the collecting and recording of personal data.

Answer: D

Explanation:
Explanation/Reference: https://gdpr-info.eu/issues/processing/

 

NEW QUESTION 38
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

  • A. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.
  • B. Background checks on European employees will stem from data protection and employment law, which can vary between member states.
  • C. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.
  • D. Background checks on employees could be performed only under prior notice to all employees.

Answer: B

 

NEW QUESTION 39
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The algorithms that Frank uses for the processing are technologically sound
  • B. The data subjects gave their unambiguous consent for the original processing
  • C. The data subjects are no longer current students of Frank's
  • D. The processing will not negatively affect the rights of the data subjects

Answer: B

 

NEW QUESTION 40
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Which statement accurately summarizes Bedrock's obligation in regard to Louis's data portability request?

  • A. Bedrock does not have a duty to transfer Louis's data to Zantrum if doing so is legitimately not technically feasible.
  • B. Bedrock does not have to transfer Louis's data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
  • C. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.
  • D. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

Answer: B

 

NEW QUESTION 41
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

  • A. Create an information retention policy for those who operate the system.
  • B. Notify the appropriate data protection authority.
  • C. Perform a data protection impact assessment (DPIA).
  • D. Ensure that safeguards are in place to prevent unauthorized access to the footage.

Answer: A

 

NEW QUESTION 42
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

  • A. Inform the subjects about the collection
  • B. Upgrade security to match that of the source
  • C. Update the data within a reasonable timeframe
  • D. Provide a public notice regarding the data

Answer: A

 

NEW QUESTION 43
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

  • A. Where the customer's Internet service provider is located
  • B. Where the technology supporting the website is located
  • C. Where the decisions about processing are made
  • D. Where the website is accessed

Answer: A

Explanation:
Explanation/Reference: https://www.ohiobar.org/member-tools-benefits/publications/Ohio-Lawyer/the-european-general- data-protection-regulation-gdpr/

 

NEW QUESTION 44
Which of the following is NOT a role of works councils?

  • A. Determining whether to approve or reject certain decisions of the employer that affect employees.
  • B. Determining the monetary fines to be levied against employers for data breach violations of employee data.
  • C. Determining whether employees' personal data can be processed or not.
  • D. Determining what changes will affect employee working conditions.

Answer: C

 

NEW QUESTION 45
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

  • A. If obtaining consent is deemed to involve disproportionate effort.
  • B. If the company's status as a documentary provider allows it to claim legitimate interest.
  • C. If obtaining consent is deemed voluntary by local legislation.
  • D. If the company limits the footage to data subjects solely of legal age.

Answer: C

 

NEW QUESTION 46
Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible"?

  • A. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
  • B. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.
  • C. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
  • D. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

Answer: A

 

NEW QUESTION 47
An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual's personal data.
Which of the following best explain why this practice would NOT be subject to the GDPR?

  • A. Body temperature is considered pseudonymous data.
  • B. Body temperature is not considered personal data.
  • C. The practice is for the purpose of alleviating extreme risks to public health.
  • D. The practice does not involve completion by automated means.

Answer: D

 

NEW QUESTION 48
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

  • A. She only viewed the visual representations of the privacy notice Liem provided.
  • B. She was not told which controller would be processing her personal data.
  • C. She did not read the privacy notice stating that her personal data would be shared.
  • D. She has never made any purchases from JaphSoft and has no relationship with the company.

Answer: C

 

NEW QUESTION 49
SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the dat a. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

  • A. Any marketing information at all.
  • B. No marketing information at all.
  • C. Marketing information for products or services similar to those purchased from WonderKids.
  • D. Marketing information related to other business operations of WonderKids.

Answer: D

 

NEW QUESTION 50
Which of the following was the first legally binding international instrument in the area of data protection?

  • A. Convention 108.
  • B. Universal Declaration of Human Rights.
  • C. General Data Protection Regulation.
  • D. EU Directive on Privacy and Electronic Communications.

Answer: A

 

NEW QUESTION 51
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

  • A. The EU individuals are targeted.
  • B. The data processing activities are in Spain.
  • C. The data controller is in France.
  • D. The individuals are European citizens or residents.

Answer: A

 

NEW QUESTION 52
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

  • A. The data isn't considered personally identifiable financial information.
  • B. There is no evidence that the thieves have accessed the data on the laptop.
  • C. The laptop belonged to a company located in Canada.
  • D. The company isn't a controller established in the Union.

Answer: D

 

NEW QUESTION 53
SCENARIO
Please use the following to answer the next question:
Ben is a member of the fitness club STAYFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Ben lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Ben was photographed while working out at a branch of STAYFIT in Frankfurt, Germany. At the time, Ben gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Ben no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Ben sends a letter to STAYFIT requesting that his image be removed from the website and all promotional materials. Months pass and Ben, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact STAYFIT through alternate channels, he decides to take action against the company.
Ben contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
  • B. Submit a draft decision to other supervisory authorities for their opinion.
  • C. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
  • D. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.

Answer: C

 

NEW QUESTION 54
......

New (2021) IAPP CIPP-E  Exam Dumps: https://www.braindumpsit.com/CIPP-E_real-exam.html

CIPP-E Practice Dumps - Verified By BraindumpsIT Updated 208 Questions: https://drive.google.com/open?id=1z5G4UIk9HL2v_bteoaoFafeD-4KxZuBU