CIPP-E exam

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the...

Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?A . The processing is done by a non-profit organization and the results are disclosed outside the organization.B . The processing is necessary to protect the...

SCENARIO Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a...

According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?A . As soon as possible after obtaining the personal data.B . As soon as possible after the...

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?A . A postal notificationB . A direct electronic messageC ....

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?A . Data subjects must be sufficiently informed of the purposes for which their personal data is processed.B . Processing of special categories of personal data on a large scale requires appointing a...

If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?A . The individuals are European citizens or...

There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?A . Consent management and withdrawal.B . Incident detection and response.C . Preventative security.D . Remedial security.View AnswerAnswer: A

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?A . They are allowed if determined to be technically necessary.B . They do not amount to valid consent under any circumstances.C . They are allowed if recorded In the register of processing activities.D . They...

According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?A . Where the technology supporting the website is locatedB . Where the website is accessedC . Where the decisions about processing are madeD . Where...