Try Before You Buy

Download a free sample of any of our exam questions and answers

  • 24/7 customer support, Secure shopping site
  • Free One year updates to match real exam scenarios
  • If you failed your exam after buying our products we will refund the full amount back to you.

Real CIPP-E Exam Questions are the Best Preparation Material [Q95-Q114]

Share

Real CIPP-E Exam Questions are the Best Preparation Material

Practice on 2024 LATEST CIPP-E Exam Updated 270 Questions

NEW QUESTION # 95
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

  • A. Personal data of EU residents being processed by a non-EU business that targets EU customers.
  • B. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  • C. Personal data of EU citizens being processed by a controller or processor based outside the EU.
  • D. The behavior of suspected terrorists being monitored by EU law enforcement bodies.

Answer: C


NEW QUESTION # 96
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

  • A. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.
  • B. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
  • C. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
  • D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

Answer: D

Explanation:
Reference https://www.zimmerslaw.com/english-1/data-protection/


NEW QUESTION # 97
Which of the following would require designating a data protection officer?

  • A. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
  • B. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
  • C. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
  • D. Processing is carried out by an organization employing 250 persons or more.

Answer: A

Explanation:
Explanation/Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/data-protection-officers/


NEW QUESTION # 98
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

  • A. Submit the contract to its own government authority.
  • B. Supply any information requested by a data protection authority (DPA) within 30 days.
  • C. Ensure that notice is given to and consent is obtained from data subjects.
  • D. Ensure that local laws do not impede the company from meeting its contractual obligations.

Answer: D

Explanation:
The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7. Reference: 1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR


NEW QUESTION # 99
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

  • A. The obligation of companies to declare data breaches.
  • B. The requirement to demonstrate compliance to a supervisory authority.
  • C. The necessity of the bulk collection of personal data by the government.

Answer: B


NEW QUESTION # 100
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?

  • A. AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.
  • B. The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.
  • C. It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.
  • D. The data storage period has to be revised, and a data processing agreement w*h AWS must be signed

Answer: D


NEW QUESTION # 101
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. No prior permission required, but an opt-out requirement on all emails sent to consumers.
  • B. A prior opt-in consent for consumers unless they are already customers.
  • C. A notice that the consumer's email address will be used for marketing purposes.
  • D. A pre-checked box stating that the consumer agrees to receive email marketing.

Answer: B

Explanation:
Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject's will. However, there is an exception to the consent rule for existing customers, known as the "soft opt-in". This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:
The company obtained the customer's contact details in the course of a sale or negotiations for a sale of a product or service; The company only sends marketing messages about its own similar products or services; The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.


NEW QUESTION # 102
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

  • A. The ePrivacy Directive
  • B. The EU Cybersecurity Directive
  • C. The E-Commerce Directive
  • D. The Data Retention Directive

Answer: A


NEW QUESTION # 103
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

  • A. Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce.
  • B. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
  • C. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
  • D. Where the DPIA identifies risks that will require insurance for protecting its business interests.

Answer: A

Explanation:
Reference https://www.dataguidance.com/opinion/eu-how-when-and-why-carrying-out-dpia


NEW QUESTION # 104
A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?

  • A. The surveillance camera system can potentially capture biometric information of the homeowner's family, which would be considered a processing of special categories of personal data.
  • B. The homeowner has not specified which security measures ore in place as part of the surveillance camera system
  • C. The GDPR specifically excludes surveillance camera images from the household exemption
  • D. The surveillance camera system can potentially film individuals who enter its filming perimeter

Answer: D


NEW QUESTION # 105
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  • A. Categories of recipients to whom the personal data have been disclosed.
  • B. Retention periods for erasure and deletion of categories of personal data.
    Section: (none)
    Explanation
  • C. Incidents of personal data breaches, whether disclosed or not.
  • D. Data inventory or data mapping exercises that have been conducted.

Answer: B


NEW QUESTION # 106
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The algorithms that Frank uses for the processing are technologically sound
  • B. The processing will not negatively affect the rights of the data subjects
  • C. The data subjects are no longer current students of Frank's
  • D. The data subjects gave their unambiguous consent for the original processing

Answer: D


NEW QUESTION # 107
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

  • A. Distributed a more comprehensive notice to employees and received their express consent.
  • B. Assessed potential privacy risks by conducting a data protection impact assessment.
  • C. Consulted with the Information Security team to weigh security measures against possible server impacts.
  • D. Consulted with the relevant data protection authority about potential privacy violations.

Answer: B

Explanation:
A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals1. The GDPR requires controllers to conduct a DPIA before starting such processing activities1. In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees' computers, which could affect their privacy and other fundamental rights2. A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities12. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA. Reference: Data Protection Impact Assessment (DPIA) - GDPR.eu, Data protection impact assessments | ICO


NEW QUESTION # 108
In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?

  • A. A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.
  • B. A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
  • C. A data controller who plans to use a new technology product that has already undergone a DPIA by the product's provider.
  • D. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.

Answer: A


NEW QUESTION # 109
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

  • A. When the data is to be processed for market research.
  • B. When providing the child with materials purely for educational use.
  • C. When providing preventive or counselling services to the child.
  • D. When a legitimate business interest makes obtaining consent impractical.

Answer: C

Explanation:
Under the GDPR, the processing of personal data of a child on the basis of consent requires the consent of the holder of parental responsibility over the child, unless the child is at least 16 years old or the applicable national law provides for a lower age (not below 13 years). However, there are some situations where the processing of personal data of a child without parental consent may be justified by other lawful grounds, such as the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party. One of these situations is when the processing is necessary for providing preventive or counselling services to the child, especially in the context of information society services. This is recognised by Recital 38 of the GDPR, which states that:
"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child." Therefore, the processing of personal data of a child without parental consent may be lawful if it is necessary for providing preventive or counselling services to the child, such as health, education, social or legal services, that are offered directly to the child and that aim to protect the child's well-being, safety, development or rights. This may include, for example, online counselling platforms, sexual health advice services, anti-bullying or mental health support services, or child protection helplines. In such cases, the controller should ensure that the processing is fair, transparent, proportionate and respectful of the child's best interests, and that appropriate safeguards are in place to protect the child's personal data and rights.
The other options are not likely to justify the processing of personal data of a child without parental consent, as they do not meet the criteria of necessity, proportionality or legitimacy. The processing of personal data of a child for market research purposes is not necessary for the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party, and may pose significant risks to the child's privacy and autonomy. Therefore, such processing requires the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent. The provision of materials purely for educational use to a child may not require the processing of personal data of the child at all, or may only require the processing of minimal personal data, such as the child's name or email address. In such cases, the processing may be based on the consent of the child, if the child is old enough to understand the implications of their consent, or on the legitimate interests of the controller, if the processing is necessary for the provision of the educational materials and does not override the interests or rights of the child. However, the controller should still inform the child and the holder of parental responsibility about the processing and provide them with the opportunity to object or withdraw their consent. The existence of a legitimate business interest does not automatically justify the processing of personal data of a child without parental consent, as the controller must also consider the impact of the processing on the rights and freedoms of the child, and whether the processing is necessary and proportionate for the pursuit of that interest. Moreover, the controller must balance the legitimate business interest against the interests or rights of the child, and ensure that the processing does not cause any harm or disadvantage to the child. If the processing involves the use of personal data of a child for the purposes of marketing or creating personality or user profiles, the controller must obtain the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent, as these purposes pose a high risk to the child's privacy and autonomy. Reference: GDPR Article 6, GDPR Article 8, GDPR Recital 38, Children and the UK GDPR | ICO, Guidelines on consent under Regulation 2016/679 - European Data Protection Board


NEW QUESTION # 110
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.
How should the company respond to Jack's request to be forgotten?

  • A. The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.
  • B. The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.
  • C. The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.
  • D. The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.

Answer: B


NEW QUESTION # 111
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within 40 days of receipt
  • B. Within 40 days of receipt, which may be extended by up to 40 additional days
  • C. Within one month of receipt, which may be extended by an additional two months
  • D. Within one month of receipt, which may be extended by up to an additional month

Answer: D

Explanation:
Reference https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/individual-rights/right-of-access/


NEW QUESTION # 112
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

  • A. Assessed potential privacy risks by conducting a data protection impact assessment.
  • B. Distributed a more comprehensive notice to employees and received their express consent.
  • C. Consulted with the Information Security team to weigh security measures against possible server impacts.
  • D. Consulted with the relevant data protection authority about potential privacy violations.

Answer: B


NEW QUESTION # 113
Which of the following is the weakest lawful basis for processing employee personal data?

  • A. Processing based on fulfilling an employment contract.
  • B. Processing based on employee consent.
  • C. Processing based on legitimate interests.
  • D. Processing based on legal obligation.

Answer: B

Explanation:
Reference:
According to the GDPR, consent is one of the six lawful bases for processing personal data, but it is not always the most appropriate one. Consent must be freely given, specific, informed and unambiguous, and the data subject must have the right to withdraw it at any time1. In the context of employment, consent is often not a valid lawful basis, because there is a clear imbalance of power between the employer and the employee, which means that the consent is not freely given2. Moreover, consent can be difficult to manage and document, and it can pose practical problems if the employee withdraws it. Therefore, consent is the weakest lawful basis for processing employee personal data, and employers should rely on other lawful bases, such as contract, legal obligation, vital interests, public task or legitimate interests, depending on the purpose and necessity of the processing3. Reference: 1: Article 4(11) and Article 7 of the GDPR; 2: [EDPB Guidelines], page 6; 3: A Guide to Lawful Basis for Processing Employee Personal Data.


NEW QUESTION # 114
......

Authentic CIPP-E Exam Dumps PDF - Jan-2024 Updated: https://www.braindumpsit.com/CIPP-E_real-exam.html

Download Latest CIPP-E Dumps with Authentic Real Exam QA's: https://drive.google.com/open?id=1KA6OnKlAg6z-oo-w1rwmL8wpH258A0Sq