IAPP CIPP-E Exam Dumps

Certified Information Privacy Professional/Europe (CIPP/E)

IAPP CIPP-E Sample Questions

Question # 1

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention108?

A. Both govern international transfers of personal data
B. Both govern the manual processing of personal data
C. Both only apply to European Union countries
D. Both require notification of processing activities to a supervisory authority

Answer: D

Show Answer

Question # 2

Please use the following to answer the next question:You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range ofdolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Althougthe manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong,it has entered into a number of local distribution contracts. The toys produced by the company can be found inall popular toy stores throughout Europe, the United States and Asia. A large portion of the company’srevenue is due to international sales.The company now wishes to launch a new range of connected toys, ones that can talk and interact withchildren. The CEO of the company is touting these toys as the next big thing, due to the increased possibilitiesoffered: The figures can answer children’s Questions: on various subjects, such as mathematical calculationsor the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone ortablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.The figures can also be associated with other figures (from the same manufacturer) and interact with eachother for an enhanced play experience.When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer isgenerated on cloud servers and sent back to the figure. The answer is given through the figure’s integratedspeakers, making it appear as though that the toy is actually responding to the child’s QUESTION. Thepackaging of the toy does not provide technical details on how this works, nor does it mention that this featurerequires an internet connection. The necessary data processing for this has been outsourced to a data centerlocated in South Africa. However, your company has not yet revised its consumer-facing privacy policy toindicate this.In parallel, the company is planning to introduce a new range of game systems through which consumers canplay the characters they acquire in the course of playing the game. The system will come bundled with a portalthat includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the actionfigure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it isalso possible to earn additional ones by accomplishing game goals. The only information stored in the tagrelates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring thefigure to locations outside of the home and have the character’s abilities remain intact.To ensure GDPR compliance, what should be the company’s position on the issue of consent?

A. The child, as the user of the action figure, can provide consent himself, as long as no information isshared for marketing purposes.
B. Written authorization attesting to the responsible use of children’s data would need to be obtained fromthe supervisory authority.
C. Consent for data collection is implied through the parent’s purchase of the action figure for the child.
D. Parental consent for a child’s use of the action figures would have to be obtained before any data couldbe collected.

Answer: D

Show Answer

Question # 3

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with adata access request?

A. Within 40 days of receipt
B. Within 40 days of receipt, which may be extended by up to 40 additional days
C. Within one month of receipt, which may be extended by up to an additional month
D. Within one month of receipt, which may be extended by an additional two months

Answer: C

Show Answer

Question # 4

Please use the following to answer the next question:Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago.Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentableoffering to help him recover compensation for personal injury. Louis has heard about insurance companiesselling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his informationfrom Bedrock Insurance.Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell himtheir full range of their insurance policies.Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked tofind that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer formany years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his NoClaims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes toask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock tostop using his personal data for marketing purposes.Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No ClaimsCertificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible.Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could beused for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. Itangers Louis when he recalls the wording of the contract, which was filled with legal jargon and veryconfusing.In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes toAccidentable to ask for the name of the organization that supplied his details to them. He warns Accidentablethat he plans to complain to the data protection authority, because he thinks their company has been using hisdata unlawfully. His letter states that he does not want his data being used by them in any way.Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s whollyowned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louissubmitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, asLouis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates forbusiness purposes.Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all hisinformation be erased from their computer system.Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

A. Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.
B. Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
C. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of acontract with the customer.
D. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an bligation to develop commonly used, machine-readable and interoperable formats so that all customerdata can be ported to other insurers on request.

Answer: B

Show Answer

Question # 5

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A. A prior opt-in consent for consumers unless they are already customers.
B. A pre-checked box stating that the consumer agrees to receive email marketing.
C. A notice that the consumer’s email address will be used for marketing purposes.
D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

Answer: A

Show Answer

Question # 6

What must a data controller do in order to make personal data pseudonymous?

A. Separately hold any information that would allow linking the data to the data subject.
B. Encrypt the data in order to prevent any unauthorized access or modification.
C. Remove all indirect data identifiers and dispose of them securely.
D. Use the data only in aggregated form for research purposes.

Answer: A

Show Answer

Question # 7

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it isdetermined that the break-in involves the loss of a substantial amount of data, the company decides on aCCTV system to monitor for future incidents. Company technicians install cameras in the entrance of thebuilding, hallways and offices. Footage is recorded continuously, and is monitored by the home office in theUnited States. What is the most realistic step the company could take to address their security concerns andcomply with the personal data processing principles set out in Article 5 of the GDPR?

A. Seek informed consent from company employees.
B. Have cameras recording during work hours only.
C. Retain captured footage for no more than 30 days.
D. Restrict camera placement to building entrances only.

Answer: A

Show Answer

Question # 8

Under which of the following conditions does the General Data Protection Regulation NOT apply to theprocessing of personal data?

A. When the personal data is processed only in non-electronic form
B. When the personal data is collected and then pseudonymised by the controller
C. When the personal data is held by the controller but not processed for further purposes
D. When the personal data is processed by an individual only for their household activities

Answer: B

Show Answer

Question # 9

In which of the following situations would an individual most likely to be able to withdraw her consent forprocessing?

A. When she is leaving her bank and moving to another bank.
B. When she has recently changed jobs and no longer works for the same company.
C. When she disagrees with a diagnosis her doctor has recorded on her records.
D. When she no longer wishes to be sent marketing materials from an organization.

Answer: D

Show Answer

Question # 10

Please use the following to answer the next question:WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts itswebsite through a company in Switzerland. As part of their service, WonderKids will pass all personal dataprovided to them to the childcare provider booked through their system. The type of personal data collected onthe website includes the name of the person booking the childcare, address and contact details, as well asinformation about the children to be cared for including name, age, gender and health information. The privacystatement on Wonderkids’ website states the following: “WonderkKids provides the information you disclose to us through this website to your childcare provider forscheduling and health and safety reasons. We may also use your and your child’s personal information for ourown legitimate business purposes and we employ a third-party website hosting company located inSwitzerland to store the data. Any data stored on equipment located in Switzerland meets the EuropeanCommission provisions for guaranteeing adequate safeguards for you and your child’s personal information.We will only share you and your child’s personal information with businesses that we see as adding real valueto you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to sendyou promotional offers.”“We may retain you and your child’s personal information for no more than 28 days, at which point the datawill be depersonalized, unless your personal information is being used for a legitimate business purposebeyond 28 days where it may be retained for up to 2 years.” “We are processing you and your child’s personal information with your consent. If you choose not to providecertain information to us, you may not be able to use our services. You have the right to: request access toyou and your child’s personal information; rectify or erase you or your child’s personal information; the rightto correction or erasure of you and/or your child’s personal information; object to any processing of you andyour child’s personal information. You also have the right to complain to the supervisory authority about ourdata processing activities.” What additional information must Wonderkids provide in their Privacy Statement?

A. How often promotional emails will be sent.
B. Contact information of the hosting company.
C. Technical and organizational measures to protect data.
D. The categories of recipients with whom data will be shared.

Answer: B

Show Answer

Question # 11

As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines outside theEEA are also likely to be subject to the Regulation’s right to be forgotten. This holds true if the activities of anEU subsidiary and its U.S. parent are what?

A. Supervised by the same Data Protection Officer.
B. Consistent with Privacy Shield requirements
C. Bound by a standard contractual clause.
D. Inextricably linked in their businesses.

Answer: D

Show Answer

Question # 12

Please use the following to answer the next question:Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The companyis headquartered in Montreal, and all of its employees are located there. The company offers its services toCanadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internettraffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declinesto process orders that request the DNA report to be sent outside of Canada, and returns orders that show anon-Canadian return address.Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company isexploring a number of plans to expand its customer base.The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadiancustomer base. The expansion will allow its Canadian customers to use the app while traveling abroad. Hesuggests that the company use this app to gather location information. If the plan shows promise, Bobproposes to use push notifications and text messages to encourage existing customers to pre-register for an EUversion of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough preregistrations, it will develop EU-specific content and services.Another plan is called Customer for Life. The idea is to offer additional services through the company’s app,like storage and sharing of DNA information with other applications and medical providers. The company’scontract says that it can keep customer DNA indefinitely, and use it to offer new services and market them tocustomers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketingdirector, suggests that the company should fully exploit these provisions, and that it can work aroundcustomers’ attempts to withdraw consent because the contract invalidates them.The final plan is to develop a brand presence in the EU. The company has already begun this process. It is inthe process of purchasing the naming rights for a building in Germany, which would come with a few officesthat Who-R-U executives can use while traveling internationally. The office doesn’t include any technology orinfrastructure; rather, it’s simply a room with a desk and some chairs.On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNAreports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customername, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

A. The company isn’t a controller established in the Union.
B. The laptop belonged to a company located in Canada.
C. The data isn’t considered personally identifiable financial information.
D. There is no evidence that the thieves have accessed the data on the laptop.

Answer: A

Show Answer

Question # 13

Which of the following would require designating a data protection officer?

A. Processing is carried out by an organization employing 250 persons or more.
B. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
C. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
D. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Answer: D

Show Answer