IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Online Training
IAPP CIPP-E Online Training
The questions for CIPP-E were last updated at Nov 19,2024.
- Exam Code: CIPP-E
- Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
- Certification Provider: IAPP
- Latest update: Nov 19,2024
Read the following steps:
✑ Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
✑ Monitor and analyze the apps and devices for compliance
✑ Manage application life cycles
✑ Monitor data sharing
An organization should perform these steps to do which of the following?
- A . Pursue a GDPR-compliant Privacy by Design process.
- B . Institute a GDPR-compliant employee monitoring process.
- C . Maintain a secure Bring Your Own Device (BYOD) program.
- D . Ensure cloud vendors are complying with internal data use policies.
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
- A . The requirements affected individuals without exception.
- B . The requirements were financially burdensome to EU businesses.
- C . The requirements specified that data must be held within the EU.
- D . The requirements had limitations on how national authorities could use data.
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?
- A . Greece
- B . Norway
- C . Australia
- D . Switzerland
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?
- A . The group of undertakings must obtain approval from a supervisory authority.
- B . The group of undertakings must be comprised of organizations of similar sizes and functions.
- C . The data protection officer must be located in the country where the data controller has its main establishment.
- D . The data protection officer must be easily accessible from each establishment where the undertakings are located.
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first levelreview, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?
- A . New corporate governance and code of conduct.
- B . A data protection impact assessment.
- C . A comprehensive data inventory.
- D . Hiring a data protection officer.
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties.
Under the GDPR, what is the online shop’s PRIMARY obligation while engaging in this kind of profiling?
- A . It must solicit informed consent through a notice on its website
- B . It must seek authorization from the European supervisory authorities
- C . It must be able to demonstrate a prior business relationship with the customers
- D . It must prove that it uses sufficient security safeguards to protect customer data
SCENARIO
Please use the following to answer the next question:
Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Dynaroux mayhave to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux’s business plan and associated processing activities.
Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?
- A . The company will be undertaking processing activities involving sensitive data categories such as financial and children’s data.
- B . The company employs approximately 650 people and will therefore be carrying out extensive processing activities.
- C . The company plans to undertake profiling of its customers through analysis of their purchasing patterns.
- D . The company intends to shift their business model to rely more heavily on online shopping.
Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?
- A . Data subjects must be sufficiently informed of the purposes for which their personal data is processed.
- B . Processing of special categories of personal data on a large scale requires appointing a DPO.
- C . Personal data of data subjects must always be accurate and kept up to date.
- D . Data controllers must be in control of the data they hold at all times.
What are the obligations of a processor that engages a sub-processor?
- A . The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
- B . The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.
- C . The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
- D . The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
What type of data lies beyond the scope of the General Data Protection Regulation?
- A . Pseudonymized
- B . Anonymized
- C . Encrypted
- D . Masked