CIPP-E Pre-Exam Practice Tests | (Updated 208 Questions) Valid CIPP-E Exam Q A PDF - One Year Free Update NEW QUESTION 32 SCENARIOPlease use the following to answer the next question:Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.Company [...]

All Products Contact now

CIPP-E Pre-Exam Practice Tests (Updated 208 Questions) [Q32-Q52]

Share

CIPP-E Pre-Exam Practice Tests | (Updated 208 Questions)

Valid CIPP-E Exam Q&A PDF - One Year Free Update

NEW QUESTION 32
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  • A. Avoiding the use of another company's data to improve their own services.
  • B. Vetting companies' measures with the appropriate supervisory authority.
  • C. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • D. Requesting advice and technical support from Company A's IT team.

Answer: C

 

NEW QUESTION 33
Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

  • A. The use of cookies to collect data about an individual.
  • B. A text message to individuals from a company offering concert tickets for sale.
  • C. Advertisements passively displayed on a website.
  • D. An email from a retail outlet promoting a sale to one of their previous customer.

Answer: C

 

NEW QUESTION 34
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA.
Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

  • A. Notify all of its customers that reside in the European Union.
  • B. Analyze and evaluate all of its breach notification obligations.
  • C. Analyze and evaluate the liability for customers in Ireland.
  • D. Notify its Data Protection Authority about the data breach.

Answer: D

 

NEW QUESTION 35
According to the GDPR, how is pseudonymous personal data defined?

  • A. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
  • B. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
  • C. Data that has been encrypted or is subject to other technical safeguards.
  • D. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Answer: B

Explanation:
Explanation/Reference: https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/

 

NEW QUESTION 36
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

  • A. If the processing involves data that is considered personal data
  • B. If the processing is to be performed by a third-party vendor
  • C. If the processing is used to predict the behavior of data subjects
  • D. If the processing of the data is done through automated means

Answer: C

 

NEW QUESTION 37
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

  • A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
  • B. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  • C. Personal data of EU citizens being processed by a controller or processor based outside the EU.
  • D. Personal data of EU residents being processed by a non-EU business that targets EU customers.

Answer: C

 

NEW QUESTION 38
SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

  • A. Delete all data collected prior to May 2018 after conducting the trend analysis.
  • B. Conduct analysis only on pseudonymized personal data.
  • C. Conduct analysis only on anonymized personal data.
  • D. Procure a third party to conduct the analysis and delete the data from Market4U's systems.

Answer: C

 

NEW QUESTION 39
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

  • A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
  • B. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
  • C. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.
  • D. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.

Answer: C

 

NEW QUESTION 40
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

  • A. Get consent from the app users.
  • B. Provide a transparent notice to users.
  • C. Anonymize the data and add latency so it avoids disclosing real time locations.
  • D. Obtain a court order because location data is a special category of personal data.

Answer: A

 

NEW QUESTION 41
When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

  • A. The ease of identification of individuals.
  • B. The nature, sensitivity and volume of personal data.
  • C. The size of any data processor involved.
  • D. The special characteristics of the data controller.

Answer: C

 

NEW QUESTION 42
SCENARIO
Please use the following to answer the next Question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

  • A. Louis does not have the right to object to the use of his data because he previously consented to it.
  • B. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
  • C. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.
  • D. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.

Answer: B

 

NEW QUESTION 43
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

  • A. Information about how providing consent could affect them as employees.
  • B. Information about what is specified in the employment contract.
  • C. Information about who employees should contact with any queries.
  • D. Information about how the measures are in the best interests of the company.

Answer: B

 

NEW QUESTION 44
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

  • A. The authority to select penalties when a controller is found guilty in a court of law.
  • B. The right to access data for investigative purposes.
  • C. The discretion to carry out goals of elected officials within the member state.
  • D. The ability to enact new laws by executive order.

Answer: B

 

NEW QUESTION 45
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

  • A. Where the customer's Internet service provider is located
  • B. Where the website is accessed
  • C. Where the technology supporting the website is located
  • D. Where the decisions about processing are made

Answer: A

Explanation:
Explanation/Reference: https://www.ohiobar.org/member-tools-benefits/publications/Ohio-Lawyer/the-european-general- data-protection-regulation-gdpr/

 

NEW QUESTION 46
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

  • A. A company wants to use location data to infer information on a person's clothes purchasing habits.
  • B. A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
  • C. A company wants to combine location data with other data in order to offer more personalized service for the customer.
  • D. A company wants to use location data to track delivery trucks in order to make the routes more efficient.

Answer: B

Explanation:
Explanation/Reference: http://webcache.googleusercontent.com/search?q=cache:aQkU17eX9sQJ:https:// www.shlegal.com/insights/article-29-data-protection-working-party-gdpr-guidelines-on-data-protection-impact- assessments&client=firefox-b-e&hl=en&gl=pk&strip=1&vwsrc=0

 

NEW QUESTION 47
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University's records does Anna NOT have to include in her record of processing activities?

  • A. Department for Education records
  • B. Student records
  • C. Frank's performance database
  • D. Staff and alumni records

Answer: D

 

NEW QUESTION 48
A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

  • A. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
  • B. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
  • C. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.
  • D. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.

Answer: A

 

NEW QUESTION 49
A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

  • A. The school gets explicit consent from the students.
  • B. Processing is necessary for the legitimate interests pursed by the school.
  • C. The school places a notice near each camera.
  • D. A state law requires facial recognition to verify attendance.

Answer: C

 

NEW QUESTION 50
An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organisation charge the data subject for processing the request?

  • A. Only if the organisation can demonstrate that the request is clearly excessive or misguided.
  • B. Only where the administrative costs of taking the action requested exceeds a certain threshold.
  • C. Only where the organisation can show that it is reasonable to do so because more than one request was made.
  • D. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.

Answer: A

 

NEW QUESTION 51
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. No prior permission required, but an opt-out requirement on all emails sent to consumers.
  • B. A pre-checked box stating that the consumer agrees to receive email marketing.
  • C. A notice that the consumer's email address will be used for marketing purposes.
  • D. A prior opt-in consent for consumers unless they are already customers.

Answer: D

 

NEW QUESTION 52
......

Certified Information Privacy Professional/Europe (CIPP/E) Free Update Certification Sample Questions: https://www.guidetorrent.com/CIPP-E-pdf-free-download.html

Trend for IAPP CIPP-E pdf dumps before actual exam: https://drive.google.com/open?id=1cSiDCJi6S_qT9GoHQn2_dnbU901DVicQ

Related Articles

more
IAPP CIPP-E Certification Practice Exam