Free Certified Information Privacy Professional CIPP-E Ultimate Study Guide (Updated 208 Questions) [Q25-Q41]

Share

Free Certified Information Privacy Professional CIPP-E Ultimate Study Guide (Updated 208 Questions)

Get to the Top with CIPP-E Practice Exam Questions


What are the Problems of IAPP CIPP/E Exam

Candidates face many problems when they start preparing for the IAPP CIPP/E Exam. If a candidate wants to prepare his for the IAPP CIPP/E Exam without any problem and get good grades in the exam. Then they have to choose the best IAPP CIPP/E Exam dumps for real exam questions practice. There are many websites that are offering the latest IAPP CIPP/E Exam questions and answers but these questions are not verified by IAPP certified experts and that’s why many are failed in their just first attempt. PrepAwayETE is the best platform which provides the candidate with the necessary IAPP 63 questions that will help him to pass the IAPP CIPP/E Exam on the first time. The candidate will not have to take the IAPP CIPP/E Exam twice because with the help of IAPP CIPP/E Exam dumps the Candidate will have every valuable material required to pass the IAPP CIPP/E Exam. We are providing the latest and actual questions and that is the reason why this is the one that he needs to use and there are no chances to fail when a candidate will have valid braindumps from PrepAwayETE. We have the guarantee that the questions that we have will be the ones that will pass candidate in the IAPP CIPP/E Exam in the very first attempt.

 

NEW QUESTION 25
There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

  • A. Incident detection and response.
  • B. Remedial security.
  • C. Preventative security.
  • D. Consent management and withdrawal.

Answer: D

 

NEW QUESTION 26
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

  • A. Conducting regular audits of the data protection program.
  • B. Encrypting data in transit and at rest using strong encryption algorithms.
  • C. Getting consent from the data subject for a cross border data transfer.
  • D. Anonymizing special categories of data.

Answer: A

 

NEW QUESTION 27
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
For what reason would JaphSoft be considered a controller under the GDPR?

  • A. It determines how long to retain the personal data collected.
  • B. It has been provided access to personal data in the MarketIQ database.
  • C. It uses personal data to improve its products and services for its client-base through machine learning.
  • D. It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

Answer: D

 

NEW QUESTION 28
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within one month of receipt, which may be extended by an additional two months
  • B. Within one month of receipt, which may be extended by up to an additional month
  • C. Within 40 days of receipt, which may be extended by up to 40 additional days
  • D. Within 40 days of receipt

Answer: B

Explanation:
Explanation/Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/individual-rights/right-of-access/

 

NEW QUESTION 29
Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

  • A. Important.
  • B. DPA-approved.
  • C. Prudent.
  • D. Proportionate.

Answer: D

 

NEW QUESTION 30
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

  • A. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
  • B. Encrypt the data in transit over the wireless Bluetooth connection.
  • C. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
  • D. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.

Answer: B

 

NEW QUESTION 31
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

  • A. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
  • B. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
  • C. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
  • D. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.

Answer: C

 

NEW QUESTION 32
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  • A. An explanation of the security measures used when personal data is transferred to a third party.
  • B. An efficient means of providing written consent in member states where they are required to do so.
  • C. A privacy notice containing brief information whilst offering access to further detail.
  • D. A privacy notice explaining the consequences for opting out of the use of cookies on a website.

Answer: C

Explanation:
Explanation

 

NEW QUESTION 33
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

  • A. When calling a potential customer to notify her of an upcoming product sale.
  • B. When emailing a customer to announce that his recent order should arrive earlier than expected.
  • C. When creating an untargeted pop-up ad on a website.
  • D. When paying a search engine company to give prominence to certain products and services within specific search results.

Answer: C

Explanation:
Explanation/Reference: https://www.privacytrust.com/guidance/gdpr-vs-eprivacy-regulation.html

 

NEW QUESTION 34

  • A. Their omission of data protection provisions in their contract with Company C.
  • B. Their failure to provide sufficient security safeguards to Company A's data.
  • C. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
    Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
    Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?
  • D. Their decision to operate without a data protection officer.
  • E. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
    Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
    Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company
  • F. Their engagement of Company C to improve their payroll service.

Answer: F

 

NEW QUESTION 35
An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organization charge the data subject a fee for processing the request?

  • A. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
  • B. Only if the organization can demonstrate that the request is clearly excessive or misguided.
  • C. Only where the administrative costs of taking the action requested exceeds a certain threshold.
  • D. Only where the organization can show that it is reasonable to do so because more than one request was made.

Answer: A

 

NEW QUESTION 36
The Planet 49 CJEU Judgement applies to?

  • A. Cookies used only by third parties.
  • B. Cookies where the data accessed is considered as personal data only.
  • C. Cookies that are deemed technically necessary.
  • D. Cookies regardless of whether the data accessed is personal or not.

Answer: D

 

NEW QUESTION 37
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

  • A. Their omission of data protection provisions in their contract with Company C.
  • B. Their failure to provide sufficient security safeguards to Company A's data.
  • C. Their decision to operate without a data protection officer.
  • D. Their engagement of Company C to improve their payroll service.

Answer: D

 

NEW QUESTION 38
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

  • A. Documenting due diligence steps taken in the pre-contractual stage.
  • B. Requiring that the processor directly notify the appropriate supervisory authority.
  • C. Maintaining evidence that the processor was the best possible market choice available.
  • D. Conducting a risk assessment to analyze possible outsourcing threats.

Answer: A

 

NEW QUESTION 39
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR.
The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
  • B. Submit a draft decision to other supervisory authorities for their opinion.
  • C. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
  • D. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.

Answer: C

 

NEW QUESTION 40
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

  • A. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.
  • B. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
  • C. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
  • D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

Answer: D

 

NEW QUESTION 41
......


You can read the IAPP CIPP/E Exam certified salary below

The Average Salary of an IAPP CIPP/E Exam in

  • Europe - 104162 EURO
  • England - 94029 POUND
  • United State - 122,750 USD
  • India - 9206648 INR

 

Pass IAPP CIPP-E exam - questions - convert Tets Engine to PDF: https://www.prepawayete.com/IAPP/CIPP-E-practice-exam-dumps.html

Use Real CIPP-E Dumps Free Sample Questions and Practice Test Engine : https://drive.google.com/open?id=1BbLGyHwAY4AGaUgxj4KyI6XJIJzDQBWH 

Contact Us

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now