Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
IAPP
Certified Information Privacy Professional
CIPP-E
Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Pass the IAPP Certified Information Privacy Professional CIPP-E Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam CIPP-E Premium Access

View all detail and faqs for the CIPP-E exam

Go to Exam

800 Students Passed

89% Average Score

93% Same Questions

Viewing page 9 out of 9 pages

Viewing questions 81-90 out of questions

Questions # 81:

SCENARIO

Please use the following to answer the next question:

Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that

Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Dynaroux may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux’s business plan and associated processing activities.

Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?

Options:

The company will be undertaking processing activities involving sensitive data categories such as financial and children’s data.

The company employs approximately 650 people and will therefore be carrying out extensive processing activities.

The company plans to undertake profiling of its customers through analysis of their purchasing patterns.

The company intends to shift their business model to rely more heavily on online shopping.

Answer

Explanation

According to the Free CIPP/E Study Guide, page 14, “the GDPR requires controllers to carry out a data protection impact assessment (DPIA) prior to processing where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.” The GDPR also provides a list of examples of processing operations that require a DPIA, such as “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” (Article 35(3)(a)). Therefore, the fact that Dynaroux plans to undertake profiling of its customers through analysis of their purchasing patterns would trigger a DPIA under the GDPR, as it involves a systematic and extensive evaluation of personal aspects based on automated processing that may significantly affect the customers. The other options are not necessarily cases where a DPIA is required, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 14

GDPR, Article 35

Questions # 82:

The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

Options:

Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.

Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.

Failure to process personal information in a manner compatible with its original purpose.

Failure to provide the means for a data subject to rectify inaccuracies in personal data.

Answer

Explanation

According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. References:

GDPR Article 83

GDPR Article 25

GDPR Article 7

GDPR Article 5

GDPR Article 16

Questions # 83:

As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

Options:

Supervised by the same Data Protection Officer.

Consistent with Privacy Shield requirements

Bound by a standard contractual clause.

Inextricably linked in their businesses.

Answer

Explanation

According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González1 that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU. This implies that search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company. References: 1: CIPP/E study guide, page 16; Google Spain v AEPD and Mario Costeja González

[Reference: http://curia.europa.eu/juris/document/document.jsf?docid=138782&doclang=EN, ]

Questions # 84:

The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

Options:

The recipients or categories of recipients.

The categories of personal data concerned.

The rights of access, erasure, restriction, and portability.

The right to lodge a complaint with a supervisory authority.

Answer

Explanation

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. References:

Art. 13 GDPR - Information to be provided where personal data are collected from the data subject

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject

Article 13: Information to be provided where personal data are collected from the data subject - GDPR

[Reference: https://gdpr-info.eu/art-13-gdpr/, ]

Viewing page 9 out of 9 pages

Viewing questions 81-90 out of questions

Modal title

Registered Required

In order to participate in the comments you need to be logged-in.
You can sign-up or login (it's free).

TOP CODES

Top selling exam codes in the certification world, popular, in demand and updated to help you pass on the first try.

2V0-11.25

ADM-201

Agentforce-Specialist

CMMC-CCP

Data-Cloud-Consultant

PCNSE

PDI

PSE-Strata-Pro-24

Secure-Software-Design

Sharing-and-Visibility-Architect

Workday-Pro-Integrations

ZDTA