[Q111-Q136] Certification Training for CIPP-E Exam Dumps Test Engine [2022]

Certification Training for CIPP-E Exam Dumps Test Engine [2022]

Jan 01, 2022 Step by Step Guide to Prepare for CIPP-E Exam

Exam Topics

The content of the CIPP/E certification exam revolves around three major subject areas, including the following:

• Compliance with European Data Protection Law and Regulation

  This area includes 9-18 exam questions. This topic unites the aspects, such as employment relations (storage of personnel records, whistleblowing systems, workplace monitoring & data loss prevention, EU Works councils, Bring Your Own Device (BYOD) programs); surveillance activities (interception of communications, surveillance by public authorities, closed-circuit television (CCTV), facial/biometrics recognition, geolocation); direct marketing (direct marketing, telemarketing, as well as online behavioural targeting); Internet technologies & communications (web cookies, search engine marketing (SEM), Artificial Intelligence (AI), cloud computing, social networking services).

• European Data Protection Law and Regulation

  This objective covers from 42 to 69 exam questions. Here the students should demonstrate that they have a good understanding of data protection principles (personal data as well as sensitive personal data, anonymous & pseudonymous data, controller, processing, processor, data subject); territorial & material GDPR scope (establishment as well as non-establishment in the EU); data processing concepts (purpose limitation, fairness & lawfulness, storage limitation/retention, accuracy, proportionality, integrity & confidentiality); lawful processing criteria (contractual necessity, consent, legitimate interests, vital interests as well as public interest, legal obligation, special categories of processing); information provision obligations (privacy notices, transparency principle, layered notices).

  Additionally, the examinees must prove that they are proficient in data subjects rights (rectification, access, restriction & objection erasure as well as the right to be forgotten, automated decision making, consent (and withdrawal of), etc.); personal data security (relevant organizational & technical measures, vendor management, breach notification, data sharing); accountability requirements (responsibility of processors & controllers, data protection by default as well as by design, data protection influence evaluation, documentation & cooperation with regulators, auditing of privacy programs, compulsory data protection officers).

  Lastly, the subject also requires your understanding of international data transfers (safe jurisdictions, prohibition rationale, Binding Corporate Rules (BCRs), Safe Harbor & Privacy Shield, model contracts, derogations, codes of conduct &certifications); supervision & enforcement (supervisory authorities as well as their powers, role of the European Data Protection Supervisor (EDPS), the European Data Protection Board); consequences for GDPR violations (infringement & fines, data subject compensation, process & procedures).

• Introduction to European Data Protection

  The certification exam can have 4 to 10 questions on this topic. This domain encompasses one’s knowledge of origins and historical context of data protection law (including human rights laws, early laws & regulations, data protection rationale, the Treaty of Lisbon; the need for a harmonized European approach, a modernized framework). The candidates must also be familiar with the European Union institutions, such as the European Court of Human Rights, the Council of Europe, the European Parliament, the European Commission, the European Court of Justice European Council. Moreover, in order to answer the questions in this section, the test takers must know the legal framework. This includes their knowledge of the EU Data Protection Directive (95/46/EC), European data retention regimes, the EU Directive on Privacy and Electronic Communications (2002/58/EC), the General Data Protection Regulation (GDPR), etc.

 

NEW QUESTION 111
What term BEST describes the European model for data protection?

• A. Market-based
• B. Self-regulatory
• C. Sectoral
• D. Comprehensive

Answer: C

Explanation:
Explanation/Reference: https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf

 

NEW QUESTION 112
A Spanish electricity customer calls her local supplier with questions about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

• A. Verify that the identity of the customer can be proven by other means.
• B. Verify that the purpose of the request from the customer is in line with the GDPR.
• C. Verify that the request is applicable to the data collected before the GDPR entered into force.
• D. Verify that the personal data has not already been sent to the customer.

Answer: C

 

NEW QUESTION 113
According to the GDPR, how is pseudonymous personal data defined?

• A. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
• B. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
• C. Data that has been encrypted or is subject to other technical safeguards.
• D. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

Answer: A

Explanation:
Explanation/Reference: https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/

 

NEW QUESTION 114
Read the following steps:
* Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
* Monitor and analyze the apps and devices for compliance
* Manage application life cycles
* Monitor data sharing
An organization should perform these steps to do which of the following?

• A. Maintain a secure Bring Your Own Device (BYOD) program.
• B. Pursue a GDPR-compliant Privacy by Design process.
• C. Ensure cloud vendors are complying with internal data use policies.
• D. Institute a GDPR-compliant employee monitoring process.

Answer: A

 

NEW QUESTION 115
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

• A. Retention periods for erasure and deletion of categories of personal data.
  Section: (none)
  Explanation
• B. Categories of recipients to whom the personal data have been disclosed.
• C. Data inventory or data mapping exercises that have been conducted.
• D. Incidents of personal data breaches, whether disclosed or not.

Answer: A

 

NEW QUESTION 116
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

• A. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
• B. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".
  Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)
• C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
• D. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.

Answer: C

 

NEW QUESTION 117
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

• A. Storage Limitation
• B. Integrity and confidentiality
• C. Accuracy
• D. Lawfulness, fairness and transparency

Answer: B

 

NEW QUESTION 118
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University's records does Anna NOT have to include in her record of processing activities?

• A. Student records
• B. Frank's performance database
• C. Department for Education records
• D. Staff and alumni records

Answer: D

 

NEW QUESTION 119
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA.
Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice's instruction to the company's IT Department violated Article 5 of the GDPR because the company failed to first do what?

• A. Encrypt the data from all of its employees.
• B. Send out consent forms to all of its employees.
• C. Minimize the amount of data collected for the lawsuit.
• D. Inform all of its employees about the lawsuit.

Answer: C

 

NEW QUESTION 120
An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual's personal data.
Which of the following best explain why this practice would NOT be subject to the GDPR?

• A. Body temperature is not considered personal data.
• B. The practice is for the purpose of alleviating extreme risks to public health.
• C. The practice does not involve completion by automated means.
• D. Body temperature is considered pseudonymous data.

Answer: C

 

NEW QUESTION 121
How is the GDPR's position on consent MOST likely to affect future app design and implementation?

• A. Users will be given granular types of consent for particular types of processing.
• B. App developers' responsibilities as data controllers will increase.
• C. Users will see fewer advertisements when using apps.
• D. App developers will expand the amount of data necessary to collect for an app's functionality.

Answer: A

 

NEW QUESTION 122
Which of the following is an example of direct marketing that would be subject to European data protection laws?

• A. A revision of contract terms conveyed to an individual by SMS from a marketing organization.
• B. A charity fundraising event notice sent to an individual at her business address.
• C. A service outage notification provided to an individual by recorded telephone message.
• D. An updated privacy notice sent to an individual's personal email address.

Answer: B

 

NEW QUESTION 123
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

• A. A notice that the consumer's email address will be used for marketing purposes.
• B. A pre-checked box stating that the consumer agrees to receive email marketing.
• C. A prior opt-in consent for consumers unless they are already customers.
• D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

Answer: C

Explanation:
Explanation/Reference: https://www.forbes.com/sites/forbescommunicationscouncil/2018/06/27/what-gdpr-means-for- email-marketing-to-eu-customers/#64020aa8374a

 

NEW QUESTION 124
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed questionnaires, which could be used to tailor their preferences to specific travel destinations.
TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the questionnaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick.
Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

• A. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.
• B. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
• C. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
• D. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.

Answer: D

 

NEW QUESTION 125
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

• A. Where an individual's details have been obtained from a bought-in marketing list.
• B. When an individual's details are obtained from their inquiries about buying a product.
• C. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
• D. When an individual has not consented to the marketing.

Answer: C

 

NEW QUESTION 126
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

• A. The obligation of companies to declare data breaches.
• B. The necessity of the bulk collection of personal data by the government.
• C. The requirement to demonstrate compliance to a supervisory authority.

Answer: C

 

NEW QUESTION 127
Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?

• A. It can only be attributed to a person by the controller.
• B. It cannot be attributed to a person under any circumstances.
• C. It can only be attributed to a person by a third party.
• D. It cannot be attributed to a data subject without the use of additional information.

Answer: D

 

NEW QUESTION 128
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
To ensure GDPR compliance, what should be the company's position on the issue of consent?

• A. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.
• B. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.
• C. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
• D. Consent for data collection is implied through the parent's purchase of the action figure for the child.

Answer: B

 

NEW QUESTION 129
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

• A. More information about the algorithm Frank used to mask student numbers.
• B. More information about the extent of the information loss.
• C. More information about what students have been told and how the research will be used.
• D. More information about Frank's data protection training.

Answer: C

 

NEW QUESTION 130
How does the GDPR now define "processing"?

• A. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
• B. Any act involving the collecting and recording of personal data.
• C. Any operation or set of operations performed on personal data or on sets of personal data.
• D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Answer: B

 

NEW QUESTION 131
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

• A. Both require notification of processing activities to a supervisory authority
• B. Both govern international transfers of personal data
• C. Both only apply to European Union countries
• D. Both govern the manual processing of personal data

Answer: A

 

NEW QUESTION 132
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

• A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject's objection.
• B. Demonstrate that the profiling is for the purposes of direct marketing.
• C. Consider the impact of the profiling on the data subject's interest, rights and freedoms.
• D. Consider the importance of the profiling to their particular objective.

Answer: B

 

NEW QUESTION 133
What was the aim of the European Data Protection Directive 95/46/EC?

• A. To completely prevent the transfer of personal data out of the European Union.
• B. To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.
• C. To harmonize the implementation of the European Convention of Human Rights across all member states.
• D. To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.

Answer: B

 

NEW QUESTION 134
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

• A. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.
• B. Identify other controllers who are processing the same information and inform them of the delisting request.
• C. Notify the newspaper that its article it is delisting the article.
• D. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer: C

 

NEW QUESTION 135
A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data?

• A. Provide the employee the reasons for retaining the data.
• B. Destroy sensitive information and store the rest per applicable data protection rules.
• C. Store all of the data in case the departing worker makes a subject access request.
• D. Securely store the data that is required to be kept under local law.

Answer: B

 

NEW QUESTION 136
......

Ultimate Guide to Prepare CIPP-E Certification Exam for Certified Information Privacy Professional: https://www.dumpsmaterials.com/CIPP-E-real-torrent.html

Certified Information Privacy Professional CIPP-E Real Exam Questions and Answers FREE Updated: https://drive.google.com/open?id=17kZCqsZke_mgkXe9szIxLnJwM5aDHX6T