CIPP-E exam

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in...

Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?A . Name and contact details of each controller on behalf of which the processor is acting.B . Categories of processing carried out on behalf of each...

Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?A . The data subject already has information regarding how his data will be usedB . The provision of such information to...

SCENARIO Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is...

Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this...

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?A . A postal notificationB . A direct electronic messageC ....

Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?A . If the processing is to be performed by a third-party vendorB . If the processing involves data that is considered personal dataC . If the processing of the data is done...

What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?A . ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.B . CJEU can force...

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?A . Data subjects must be sufficiently informed of the purposes for which their personal data is processed.B . Processing of special categories of personal data on a large scale requires appointing a...

Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?A . The ability to enact new laws by executive order.B . The right to access data for investigative purposes.C . The discretion to carry out goals of elected...