The Secret Of IAPP CIPP-E Study Guides

NEW QUESTION 1
When is data sharing agreement MOST likely to be needed?

• A. When anonymized data is being shared.
• B. When personal data is being shared between commercial organizations acting as joint data controllers.
• C. When personal data is being proactively shared by a controller to support a police investigation.
• D. When personal data is being shared with a public authority with powers to require the personal data to be disclosed.

Answer: B

NEW QUESTION 2
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions EXCEPT?

• A. Processing the personal data upon documented instructions regarding data transfers outside of the EEA.
• B. Notification regarding third party requests for access to Liem and EcoMick’s personal data.
• C. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
• D. Returning or deleting personal data after the end of the provision of the services.

Answer: C

NEW QUESTION 3
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

• A. The controller will be liable to pay an administrative fine
• B. The processor will be liable to pay compensation to affected data subjects
• C. The processor will be considered to be a controller in respect of the processing concerned
• D. The controller will be required to demonstrate that the unauthorized processing negatively affected oneor more of the parties involved

Answer: B

NEW QUESTION 4
After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

• A. The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.
• B. Adequacy determinations automatically lapse when a Member State leaves the EU.
• C. The UK is now a third country because it’s no longer subject to the GDPR.
• D. The UK is less trustworthy now that its not part of the Union.

Answer: C

NEW QUESTION 5
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

• A. When the data is to be processed for market research.
• B. When providing preventive or counselling services to the child.
• C. When providing the child with materials purely for educational use.
• D. When a legitimate business interest makes obtaining consent impractical.

Answer: B

NEW QUESTION 6
When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

• A. The ease of identification of individuals.
• B. The size of any data processor involved.
• C. The special characteristics of the data controller.
• D. The nature, sensitivity and volume of personal data.

Answer: B

NEW QUESTION 7
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

• A. Provide the user with logs of data collected through use of the app.
• B. Erase any data collected from the time the app was first used.
• C. Inform any third parties of the user’s withdrawal of consent.
• D. Cease processing any data collected through use of the app.

Answer: D

NEW QUESTION 8
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

• A. The ePrivacy Directive
• B. The E-Commerce Directive
• C. The Data Retention Directive
• D. The EU Cybersecurity Directive

Answer: A

NEW QUESTION 9
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily’s consent provision?

• A. It is not legal to include fields requiring information regarding health status without consent.
• B. Processing health data requires explicit consent, but the form does not ask for explicit consent.
• C. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
• D. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.

Answer: C

NEW QUESTION 10
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

• A. The ability to enact new laws by executive order.
• B. The right to access data for investigative purposes.
• C. The discretion to carry out goals of elected officials within the member state.
• D. The authority to select penalties when a controller is found guilty in a court of law.

Answer: B

NEW QUESTION 11
An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data.
Which of the following best explain why this practice would NOT be subject to the GDPR?

• A. Body temperature is not considered personal data.
• B. The practice does not involve completion by automated means.
• C. Body temperature is considered pseudonymous data.
• D. The practice is for the purpose of alleviating extreme risks to public health.

Answer: B

NEW QUESTION 12
Which of the following entities would most likely be exempt from complying with the GDPR?

• A. A South American company that regularly collects European customers’ personal data.
• B. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
• C. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.
• D. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.

Answer: C

NEW QUESTION 13
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

• A. The right to privacy is an absolute right
• B. The right to privacy has to be balanced against other rights under the ECHR
• C. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
• D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

Answer: B

NEW QUESTION 14
When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

• A. After a personal data breach.
• B. Every three (3) years.
• C. On an ongoing basis.
• D. Every year.

Answer: C

NEW QUESTION 15
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

• A. Providing a multi-layered privacy notice, in a website environment.
• B. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
• C. Providing a hyperlink to the organization’s home page, in a hard copy application form.
• D. Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field.

Answer: A

NEW QUESTION 16
......