Pass CIPP-E Exam - Real Test Engine PDF with 208 Questions [Q68-Q83]

Rate this post

Pass CIPP-E Exam – Real Test Engine PDF with 208 Questions

Get New CIPP-E Certification Practice Test Questions Exam Dumps

NEW QUESTION 68
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

Because of the misrepresentation of personal data as an endorsement.

Because of the juxtaposition of the quotation with others’ quotations.

Because of the use of personal data outside of the social networking service (SNS).

Because of the misapplication of the household exception in relation to a social networking service (SNS).

NEW QUESTION 69
To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?

Compliant with the security principle, because the data base is password-protected.

Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.

Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.

Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.

NEW QUESTION 70
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention
108?

Both govern international transfers of personal data

Both govern the manual processing of personal data

Both only apply to European Union countries

Both require notification of processing activities to a supervisory authority

NEW QUESTION 71
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

Information about DPIAs found in Articles 38 through 40 of the GDPR.

Data breach documentation that data controllers are required to maintain.

Existing DPIA guides published by local supervisory authorities.

Records of processing activities that data controllers are required to maintain.

NEW QUESTION 72
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?

They must report it to TripBliss Inc.

They must conduct a full systems audit.

They must report it to the supervisory authority.

They must inform customers who have used the website.

NEW QUESTION 73
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.

CJEU can force national governments to implement and honor EU law, while the ECHR cannot.

CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.

ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

NEW QUESTION 74
What is the key difference between the European Council and the Council of the European Union?

The Council of the European Union is helmed by a president.

The Council of the European Union has a degree of legislative power.

The European Council focuses primarily on issues involving human rights.

The European Council is comprised of the heads of each EU member state.

NEW QUESTION 75
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

The individuals are European citizens or residents.

The data processing activities are in Spain.

The data controller is in France.

The EU individuals are targeted.

NEW QUESTION 76
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

The requirements affected individuals without exception.

The requirements were financially burdensome to EU businesses.

The requirements specified that data must be held within the EU.

The requirements had limitations on how national authorities could use data.

NEW QUESTION 77
With the issue of consent, the GDPR allows member states some choice regarding what?

The mechanisms through which consent may be communicated

The circumstances in which silence or inactivity may constitute consent

The age at which children must be required to obtain parental consent

The timeframe in which data subjects are allowed to withdraw their consent

NEW QUESTION 78
What was the aim of the European Data Protection Directive 95/46/EC?

To harmonize the implementation of the European Convention of Human Rights across all member states.

To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.

To completely prevent the transfer of personal data out of the European Union.

To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.

NEW QUESTION 79
In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

The predicted consequences of the breach.

The measures being taken to address the breach.

The type of security safeguards used to protect the data.

The contact details of the appropriate data protection officer.

NEW QUESTION 80
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

The lack of the option to opt in.

The level of security within the website.

The contract with the third-party advertising network.

The need to have the contents of the advertising approved.

NEW QUESTION 81
Many businesses print their employees’ photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.

Because photographs qualify as biometric data only when they undergo a “specific technical processing”.

Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.

Because photographic ID is a physical security measure which is “necessary for reasons of substantial public interest”.

NEW QUESTION 82
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

Encrypt the data in transit over the wireless Bluetooth connection.

Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.

Include three-factor authentication before each use by a child in order to ensure the best level of security possible.

Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.

NEW QUESTION 83
Which area of privacy is a lead supervisory authority’s (LSA) MAIN concern?

Data subject rights

Data access disputes

Cross-border processing

Special categories of data