Iapp Exambible Cipp

Welcome to download the Newest 2passeasy CIPP-E dumps
https://www.2passeasy.com/dumps/CIPP-E/ (206 New Questions)
Exam Questions CIPP-E

Certified Information Privacy Professional/Europe (CIPP/E)
https://www.2passeasy.com/dumps/CIPP-E/
Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NEW QUESTION 1
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an
internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree
on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a
rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards
program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he
believes are his data subject rights.
What are ABC Hotel Chain and XYZ Travel Agency’s roles in this relationship?
A. ABC Hotel Chain is the controller and XYZ Travel Agency is the processor.
B. XYZ Travel Agency is the controller and ABC Hotel Chain is the processor.
C. ABC Hotel Chain and XYZ Travel Agency are independent controllers.
D. ABC Hotel Chain and XYZ Travel Agency are joint controllers.
Answer: A
NEW QUESTION 2
With the issue of consent, the GDPR allows member states some choice regarding what?
A. The mechanisms through which consent may be communicated

B. The circumstances in which silence or inactivity may constitute consent
C. The age at which children must be required to obtain parental consent
D. The timeframe in which data subjects are allowed to withdraw their consent
Answer: C
NEW QUESTION 3
To which of the following parties does the territorial scope of the GDPR NOT apply?
A. All member countries of the European Economic Area.

B. All member countries party to the Treaty of Lisbon.
C. All member countries party to the Paris Agreement.
D. All member countries of the European Union.
Answer: A
NEW QUESTION 4
SCENARIO
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The
University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of
special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain
demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification
numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest. In order to improve his teaching, Frank wants to investigate
how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and
knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous
schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student
level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same
algorithm on each occasion so that he can update each record over time.
One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR.
After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects
that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after
she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the
laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security
incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank’s performance database is permissible, what additional information does she need?
A. More information about Frank’s data protection training.

B. More information about the extent of the information loss.
C. More information about the algorithm Frank used to mask student numbers.
D. More information about what students have been told and how the research will be used.
Answer: D
NEW QUESTION 5
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

A. Employees must sign an ad hoc contractual agreement each time personal data is exported.
B. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
Answer: C
NEW QUESTION 6
According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of
personal data under EU data protection law?
A. Data ownership allocation.

B. Access control management.
C. Frequent pseudonymization key rotation.
D. Error propagation avoidance along the processing chain.
Answer: C
NEW QUESTION 7
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of
their service, WonderKids will pass all personal data
provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person
booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information.
The privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may
also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in
Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate
safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real
value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal
information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”
“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use
our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right
to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the
right to complain to the supervisory authority about our data processing activities.”
What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?
A. No marketing information at all.

B. Any marketing information at all.
C. Marketing information related to other business operations of WonderKids.
D. Marketing information for products or services similar to those purchased from WonderKids.
Answer: C
NEW QUESTION 8
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
A. Name and contact details of each controller on behalf of which the processor is acting.
B. Categories of processing carried out on behalf of each controller for which the processor is acting.
C. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
D. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for
which the processor is acting.
Answer: C
NEW QUESTION 9
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?
A. The right to privacy is an absolute right

B. The right to privacy has to be balanced against other rights under the ECHR
C. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
Answer: B
NEW QUESTION 10
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of
EU law?
A. The Directive was superseded by the EU Directive on Privacy and Electronic Communications.
B. The Directive was superseded by the General Data Protection Regulation.
C. The Directive was annulled by the Court of Justice of the European Union.
D. The Directive was annulled by the European Court of Human Rights.
Answer: C

NEW QUESTION 10
Which type of personal data does the GDPR define as a “special category” of personal data?
A. Educational history.
B. Trade-union membership.
C. Closed Circuit Television (CCTV) footage.
D. Financial information.
Answer: B
NEW QUESTION 11
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to
achieve in Europe?
A. The establishment of a list of legitimate data processing criteria

B. The creation of legally binding data protection principles
C. The synchronization of approaches to data protection
D. The restriction of cross-border data flow
Answer: D
NEW QUESTION 12
SCENARIO
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its
employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it
blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the
DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer
base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian
customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob
proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan,
We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other
applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to
customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit
these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a
building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any
technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom
are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health
information.
If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?
A. Its plan would be in the context of the establishment of a controller in the Union.
B. It would be offering goods or services to data subjects in the Union.
C. It is engaging in commercial activities conducted in the Union.
D. It is monitoring the behavior of data subjects in the Union.
Answer: D
NEW QUESTION 13
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border
transfers?
A. The European Commission can adopt an adequacy decision for individual companies.
B. The European Commission can adopt, repeal or amend an existing adequacy decision.
C. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
Answer: A
NEW QUESTION 14
To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?
A. The Court of Justice of the European Union.

B. The European Data Protection Supervisor.
C. The European Court of Human Rights.
D. The European Data Protection Board.
Answer: A
NEW QUESTION 17
Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection laws throughout the European Union?
A. That it essentially functions as a one-stop shop mechanism

B. That it takes the form of a Regulation as opposed to a Directive

C. That it makes notification of large-scale data breaches mandatory
D. That it makes appointment of a data protection officer mandatory
Answer: D
NEW QUESTION 20
SCENARIO
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy,
France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination
with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training
awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software
that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the
monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the
company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to
monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily
connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the
Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the
company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?
A. Assessed potential privacy risks by conducting a data protection impact assessment.

B. Consulted with the relevant data protection authority about potential privacy violations.
C. Distributed a more comprehensive notice to employees and received their express consent.
D. Consulted with the Information Security team to weigh security measures against possible server impacts.
Answer: C
NEW QUESTION 25
What obligation does a data controller or processor have after appointing a data protection officer?
A. To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.
B. To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.
C. To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.
D. To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection
principles.
Answer: D
NEW QUESTION 26
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
A. The requirements affected individuals without exception.

B. The requirements were financially burdensome to EU businesses.
C. The requirements specified that data must be held within the EU.
D. The requirements had limitations on how national authorities could use data.
Answer: D
NEW QUESTION 27
SCENARIO
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem
teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing
campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data
sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and
EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run
successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning
models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models
in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion
process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing
identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying
information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such
contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing
campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future
regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
For what reason would JaphSoft be considered a controller under the GDPR?
A. It determines how long to retain the personal data collected.

B. It has been provided access to personal data in the MarketIQ database.
C. It uses personal data to improve its products and services for its client-base through machine learning.

D. It makes decisions regarding the technical and organizational measures necessary to protect the personal data.
Answer: D
NEW QUESTION 28
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage
featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they
use for their documentary?
A. If obtaining consent is deemed to involve disproportionate effort.

B. If obtaining consent is deemed voluntary by local legislation.
C. If the company limits the footage to data subjects solely of legal age.
D. If the company’s status as a documentary provider allows it to claim legitimate interest.
Answer: B
NEW QUESTION 32
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?
A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
B. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
D. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
Answer: A
NEW QUESTION 33
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
A. Legislative powers.
B. Corrective powers.
C. Investigatory powers.
D. Authorization and advisory powers.
Answer: D
NEW QUESTION 38
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?
A. When the personal data is processed only in non-electronic form

B. When the personal data is collected and then pseudonymised by the controller
C. When the personal data is held by the controller but not processed for further purposes
D. When the personal data is processed by an individual only for their household activities
Answer: B
NEW QUESTION 41
Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
Monitor and analyze the apps and devices for compliance
Manage application life cycles
Monitor data sharing
An organization should perform these steps to do which of the following?
A. Pursue a GDPR-compliant Privacy by Design process.

B. Institute a GDPR-compliant employee monitoring process.
C. Maintain a secure Bring Your Own Device (BYOD) program.
D. Ensure cloud vendors are complying with internal data use policies.
Answer: C
NEW QUESTION 44
Why is advisable to avoid consent as a legal basis for an employer to process employee data?
A. Employee data can only be processed if there is an approval from the data protection officer.
B. Consent may not be valid if the employee feels compelled to provide it.
C. An employer might have difficulty obtaining consent from every employee.
D. Data protection laws do not apply to processing of employee data.
Answer: A
NEW QUESTION 47
How does the GDPR now define “processing”?
A. Any act involving the collecting and recording of personal data.

B. Any operation or set of operations performed on personal data or on sets of personal data.
C. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.
Answer: A
NEW QUESTION 50
Select the answer below that accurately completes the following: “The right to compensation and liability under the GDPR…
A. …provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the
damage.”
B. …precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing.”
C. ...can only be exercised against the data controller, even if a data processor was involved in the same processing.”
D. …is limited to a maximum amount of EUR 20 million per event of damage or loss.”
Answer: B
NEW QUESTION 51
SCENARIO
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a
multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the
company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from
a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows
Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For
Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal
information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not
doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As
Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all
of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about
the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company
to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to
the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company
in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire
global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy
that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT Department violated Article 5 of the GDPR because the company failed
to first do what?
A. Send out consent forms to all of its employees.

B. Minimize the amount of data collected for the lawsuit.
C. Inform all of its employees about the lawsuit.
D. Encrypt the data from all of its employees.
Answer: B
NEW QUESTION 53
The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from
data subjects, which of the following items of information does NOT legally have to be supplied?
A. The recipients or categories of recipients.

B. The categories of personal data concerned.
C. The rights of access, erasure, restriction, and portability.
D. The right to lodge a complaint with a supervisory authority.
Answer: B
NEW QUESTION 54
SCENARIO
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in
conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s
existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May
2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide
useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior,
Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to
participate in Market4U’s forum, and attending events. Such fields include birth date and salary.
What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?
A. Conduct analysis only on anonymized personal data.

B. Conduct analysis only on pseudonymized personal data.
C. Delete all data collected prior to May 2018 after conducting the trend analysis.
D. Procure a third party to conduct the analysis and delete the data from Market4U’s systems.

Answer: A
NEW QUESTION 59
SCENARIO
base.
information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?
A. Get consent from the app users.

B. Provide a transparent notice to users.
C. Anonymize the data and add latency so it avoids disclosing real time locations.
D. Obtain a court order because location data is a special category of personal data.
Answer: A
NEW QUESTION 60
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?
A. When creating an untargeted pop-up ad on a website.

B. When calling a potential customer to notify her of an upcoming product sale.
C. When emailing a customer to announce that his recent order should arrive earlier than expected.
D. When paying a search engine company to give prominence to certain products and services within specific search results.
Answer: A
NEW QUESTION 62
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what
condition?
A. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
B. When it has been determined that adequate protection can be performed.
C. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
D. Only as a last resort and when interpreted restrictively.
Answer: B
NEW QUESTION 65
When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection
that is in compliance with the European Union (EU) level?
A. After a personal data breach.

B. Every three (3) years.
C. On an ongoing basis.
D. Every year.
Answer: C
NEW QUESTION 67
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?
A. The European Parliament

B. The European Commission
C. The Article 29 Working Party
D. The European Council
Answer: B
NEW QUESTION 68

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?
A. The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.
B. Adequacy determinations automatically lapse when a Member State leaves the EU.
C. The UK is now a third country because it’s no longer subject to the GDPR.
D. The UK is less trustworthy now that its not part of the Union.
Answer: C
NEW QUESTION 69
SCENARIO
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found
internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong
Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the
United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as
the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations
or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a
10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with
each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure.
The answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on
how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center
located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of
playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the
action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by
accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible
to bring the figure to locations outside of the home and have the character’s abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?
A. Encrypt the data in transit over the wireless Bluetooth connection.

B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
C. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
D. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
Answer: A
NEW QUESTION 71
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?
A. To encourage the consistency of local data processing activity.

B. To give corporations a choice about who their supervisory authority will be.
C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
D. To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.
Answer: A
NEW QUESTION 73
SCENARIO
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with
another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts
included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the
use of cookies.
T-C raze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main
product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right
Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is
most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded
nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the
Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication
even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Which of the following is T-Craze’s lead supervisory authority?
A. Germany, because that is where T-Craze is headquartered.

B. France, because that is where T-Craze conducts processing of personal information.
C. Spain, because that is T-Craze’s primary market based on its marketing campaigns.
D. T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.
Answer: C
NEW QUESTION 74
SCENARIO
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to
the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they

can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to
tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best
accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires
will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the
new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices.
The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on
the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a
special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for
these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to
TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a
time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company,
Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files
onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a
crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the
company’s system of access control must be reconsidered.
If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?
A. The resulting obligation to notify data subjects would involve disproportionate effort.
B. The incident resulted from the actions of a third-party that were beyond their control.
C. The destruction of the stolen data makes any risk to the affected data subjects unlikely.
D. The sensitivity of the categories of data involved in the incident was not substantial enough.
Answer: B
NEW QUESTION 76
SCENARIO
Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin,
Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR)
and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of
information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant
emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that
Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this
assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data
Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s
business plan and associated processing activities.
What must Zandelay provide to the supervisory authority during the prior consultation?
A. An evaluation of the complexity of the intended processing.

B. An explanation of the purposes and means of the intended processing.
C. Records showing that customers have explicitly consented to the intended profiling activities.
D. Certificates that prove Martin’s professional qualities and expert knowledge of data protection law.
Answer: B
NEW QUESTION 79
In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple
processing operations be allowed?
A. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.
B. A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.
C. A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
D. A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.
Answer: D
NEW QUESTION 84
SCENARIO
Best.

the U.S.
As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?
A. Notify its Data Protection Authority about the data breach.

B. Analyze and evaluate the liability for customers in Ireland.
C. Analyze and evaluate all of its breach notification obligations.
D. Notify all of its customers that reside in the European Union.
Answer: A
NEW QUESTION 88
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?
A. Both govern international transfers of personal data

B. Both govern the manual processing of personal data
C. Both only apply to European Union countries
D. Both require notification of processing activities to a supervisory authority
Answer: D
NEW QUESTION 89
Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?
A. When an individual has not consented to the marketing.

B. When an individual’s details are obtained from their inquiries about buying a product.
C. Where an individual’s details have been obtained from a bought-in marketing list.
D. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
Answer: B
NEW QUESTION 91
SCENARIO
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure.
The answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on
how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center
To ensure GDPR compliance, what should be the company’s position on the issue of consent?
A. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
B. Written authorization attesting to the responsible use of children’s data would need to be obtained from the supervisory authority.
C. Consent for data collection is implied through the parent’s purchase of the action figure for the child.
D. Parental consent for a child’s use of the action figures would have to be obtained before any data could be collected.
Answer: D
NEW QUESTION 95
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
A. To create and maintain records of processing activities.

B. To conduct Privacy Impact Assessments on behalf of the controller or processor.
C. To monitor compliance with other local or European data protection provisions.
D. To create procedures for notification of personal data breaches to competent supervisory authorities.
Answer: B
NEW QUESTION 98
SCENARIO

What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?
A. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
B. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to
this employee, including fair dismissal.
C. Since the employee was not informed that the security measures would be used for other purposes suchas monitoring, the company could face difficulties in
applying any disciplinary measures to this employee.
D. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company
would be entitled to apply some disciplinary measures, but not dismissal.
Answer: D
NEW QUESTION 103

How is the GDPR’s position on consent MOST likely to affect future app design and implementation?
A. App developers will expand the amount of data necessary to collect for an app’s functionality.
B. Users will be given granular types of consent for particular types of processing.
C. App developers’ responsibilities as data controllers will increase.
D. Users will see fewer advertisements when using apps.
Answer: B
NEW QUESTION 108

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and
other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in
photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will
identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to
those in the European Union. Bioface does not offer the service to individuals.
Why is Bioface subject to the territorial scope of the General Data Protection Regulation?
A. It collects data from European Union websites, which constitutes an establishment in the EuropeanUnion.
B. It offers services in the European Union by identifying data subjects in the European Union.
C. It collects data from subjects and uses it for automated processing.
D. It monitors the behavior of data subjects in the European Union.
Answer: A
NEW QUESTION 111

Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?
A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.

B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
D. Personal data of EU residents being processed by a non-EU business that targets EU customers.
Answer: B
NEW QUESTION 112

What are the obligations of a processor that engages a sub-processor?
A. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.
C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the
personal data concerned.
D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those
that apply to the processor.
Answer: C
NEW QUESTION 116

SCENARIO
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of
services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s

company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own
online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area,
which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not
noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries
that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice
to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the
privacy notice but that it was long and complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has
taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now
posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home
webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let
him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did
offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party
ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements
contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?
A. Because of the misrepresentation of personal data as an endorsement.

B. Because of the juxtaposition of the quotation with others’ quotations.
C. Because of the use of personal data outside of the social networking service (SNS).
D. Because of the misapplication of the household exception in relation to a social networking service (SNS).
Answer: D
NEW QUESTION 119

SCENARIO
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of
their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected
on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for
including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may
also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in
Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate
safeguards for you and your child’s personal information.
We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you
consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal
information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”
“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use
our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right
to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the
right to complain to the supervisory authority about our data processing activities.”
What must the contract between WonderKids and the hosting service provider contain?
A. The requirement to implement technical and organizational measures to protect the data.
B. Controller-to-controller model contract clauses.
C. Audit rights for the data subjects.
D. A non-disclosure agreement.
Answer: A
NEW QUESTION 124

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial
amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building,
hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company
could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?
A. Seek informed consent from company employees.

B. Have cameras recording during work hours only.
C. Retain captured footage for no more than 30 days.
D. Restrict camera placement to building entrances only.
Answer: A
NEW QUESTION 127

When may browser settings be relied upon for the lawful application of cookies?
A. When a user rejects cookies that are strictly necessary.

B. When users are aware of the ability to adjust their settings.
C. When users are provided with information about which cookies have been set.
D. When it is impossible to bypass the choices made by users in their browser settings.
Answer: B

NEW QUESTION 131

What must a data controller do in order to make personal data pseudonymous?
A. Separately hold any information that would allow linking the data to the data subject.
B. Encrypt the data in order to prevent any unauthorized access or modification.
C. Remove all indirect data identifiers and dispose of them securely.
D. Use the data only in aggregated form for research purposes.
Answer: A
NEW QUESTION 134

Which of the following would require designating a data protection officer?
A. Processing is carried out by an organization employing 250 persons or more.

B. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
C. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
D. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
Answer: D
NEW QUESTION 136

If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before
taking action in the courts?
A. 1 month.
B. 3 months.
C. 5 months.
D. 12 months.
Answer: B
NEW QUESTION 138

An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition
can the organisation charge the data subject for processing the request?
A. Only where the organisation can show that it is reasonable to do so because more than one request was made.
B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.
C. Only where the administrative costs of taking the action requested exceeds a certain threshold.
D. Only if the organisation can demonstrate that the request is clearly excessive or misguided.
Answer: D
NEW QUESTION 139

A mobile device application that uses cookies will be subject to the consent requirement of which of the following?
A. The ePrivacy Directive

B. The E-Commerce Directive
C. The Data Retention Directive
D. The EU Cybersecurity Directive
Answer: A
NEW QUESTION 143

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition
can the organization charge the data subject a fee for processing the request?
A. Only where the organization can show that it is reasonable to do so because more than one request was made.
B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.
C. Only where the administrative costs of taking the action requested exceeds a certain threshold.
D. Only if the organization can demonstrate that the request is clearly excessive or misguided.
Answer: B
NEW QUESTION 146

SCENARIO
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary
establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago
while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being
included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of
members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly
associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting
that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes
very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant

to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT
has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under
the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and,
pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and
website.
Assuming that multiple EVETFIT branches across several EU countries are acting as separate data
controllers, and that each of those branches were responsible for mishandling Javier’s request, how may Javier proceed in order to seek compensation?
A. He will have to sue the EVETFIT’s head office in France, where EVETFIT has its main establishment.
B. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
C. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or
distress suffered by Javier.
D. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the
decision that was made by the board.
Answer: A
NEW QUESTION 151

Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?
A. The European Council

B. The European Parliament
C. The European Commission
D. The Council of the European Union
Answer: D
NEW QUESTION 152

SCENARIO
Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin,
Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR)
and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of
information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant
emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that
Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this
assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data
Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s
business plan and associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact assessment?
A. Information about DPIAs found in Articles 38 through 40 of the GDPR.

B. Data breach documentation that data controllers are required to maintain.
C. Existing DPIA guides published by local supervisory authorities.
D. Records of processing activities that data controllers are required to maintain.
Answer: A
NEW QUESTION 156

SCENARIO
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with
another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts
included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the
use of cookies.
T-C raze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main
product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right
Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is
most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded
nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the
Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication
even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia’s complaint?
A. T-Craze has a French affiliate.

B. The French affiliate procured the services of Right Target.
C. T-Craze conducts its marketing and sales activities in France.
D. The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.
Answer: C
NEW QUESTION 160

In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

A. When the data is to be processed for market research.

B. When providing preventive or counselling services to the child.
C. When providing the child with materials purely for educational use.
D. When a legitimate business interest makes obtaining consent impractical.
Answer: B
NEW QUESTION 162

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?
A. It cannot be attributed to a data subject without the use of additional information.

B. It cannot be attributed to a person under any circumstances.
C. It can only be attributed to a person by the controller.
D. It can only be attributed to a person by a third party.
Answer: A
NEW QUESTION 163

As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the
Regulation’s right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?
A. Supervised by the same Data Protection Officer.

B. Consistent with Privacy Shield requirements
C. Bound by a standard contractual clause.
D. Inextricably linked in their businesses.
Answer: D
NEW QUESTION 168

Which of the following is NOT a role of works councils?
A. Determining the monetary fines to be levied against employers for data breach violations of employee data.
B. Determining whether to approve or reject certain decisions of the employer that affect employees.
C. Determining whether employees’ personal data can be processed or not.
D. Determining what changes will affect employee working conditions.
Answer: C
NEW QUESTION 170

Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These
organizations are commonly known as?
A. Law firm organizations.

B. Civil society organizations.
C. Human rights organizations.
D. Constitutional rights organizations.
Answer: A
NEW QUESTION 174

Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y
finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to
notify?
A. The public
B. Company X
C. Law enforcement
D. The supervisory authority
Answer: C
NEW QUESTION 178

The Planet 49 CJEU Judgement applies to?
A. Cookies used only by third parties.

B. Cookies that are deemed technically necessary.
C. Cookies regardless of whether the data accessed is personal or not.
D. Cookies where the data accessed is considered as personal data only.
Answer: C
NEW QUESTION 179

SCENARIO
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for

BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a
company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase
history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new
sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security
measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of
technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of
the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.
Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?
A. Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history.
B. Only the security measures assessed by BHealthy prior to entering into the data processing contract.
C. Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.
D. The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject’s purchase history.
Answer: A
NEW QUESTION 181

For which of the following operations would an employer most likely be justified in requesting the data subject’s consent?
A. Posting an employee’s bicycle race photo on the company’s social media.

B. Processing an employee’s health certificate in order to provide sick leave.
C. Operating a CCTV system on company premises.
D. Assessing a potential employee’s job application.
Answer: A
NEW QUESTION 184

Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?
A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
B. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.
C. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.
Answer: D
NEW QUESTION 186

SCENARIO
Best.
the U.S.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?
A. The Court of Justice of the European Union.

B. The European Data Protection Board.
C. The Data Protection Authority.
D. The European Commission.
Answer: C
NEW QUESTION 187

A U.S. company’s website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?
A. The widgets are offered in EU and priced in euro.

B. The website is in English and French, and is accessible in France.
C. An affiliate office is located in France but the processing is in the U.S.
D. The website places cookies to monitor the EU website user behavior.
Answer: B

NEW QUESTION 191

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?
A. If the data protection officer lacks ISO 27001 auditor certification.

B. If the data protection officer is provided by the data processor.
C. If the data protection officer also manages the marketing budget.
D. If the data protection officer receives instructions from the data controller.
Answer: D
NEW QUESTION 196

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most
important security measure to apply to the health data transmission?
A. Inform the data subject of the security measures in place.

B. Ensure that the receiving entity has signed a data processing agreement.
C. Encrypt the transferred data in transit and at rest.
D. Conduct a data protection impact assessment.
Answer: A
NEW QUESTION 201

SCENARIO
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in
conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s
existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May
2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide
useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior,
Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to
participate in Market4U’s forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U’s forms?
A. Make all the fields optional.

B. Only request the information in brackets (i.e., age group and salary range).
C. Eliminate the fields, as they are not proportional to the services being offered.
D. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.
Answer: D
NEW QUESTION 206

Which of the following is one of the supervisory authority’s investigative powers?
A. To notify the controller or the processor of an alleged infringement of the GDPR.

B. To require that controllers or processors adopt approved data protection certification mechanisms.
C. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
D. To require data controllers to provide them with written notification of all new processing activities.
Answer: A
NEW QUESTION 211

An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a
breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?
A. Notify affected individuals that their data was unavailable for a period of time.
B. Document the loss of availability to demonstrate accountability
C. Notify the supervisory authority about the loss of availability
D. Conduct a thorough audit of all security systems
Answer: C
NEW QUESTION 213

Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by
law and constitutes a measure that is both necessary and what?
A. Prudent.
B. Important.
C. Proportionate.
D. DPA-approved.
Answer: C
NEW QUESTION 217

SCENARIO

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The
answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how
this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center
What presents the BIGGEST potential privacy issue with the company’s practices?
A. The NFC portal can read any data stored in the action figures
B. The information about the data processing involved has not been specified
C. The cloud service provider is in a country that has not been deemed adequate
D. The RFID tag in the action figures has the potential for misuse because of the toy’s evolving capabilities
Answer: B
NEW QUESTION 219

When is data sharing agreement MOST likely to be needed?
A. When anonymized data is being shared.

B. When personal data is being shared between commercial organizations acting as joint data controllers.
C. When personal data is being proactively shared by a controller to support a police investigation.
D. When personal data is being shared with a public authority with powers to require the personal data to be disclosed.
Answer: B
NEW QUESTION 224

SCENARIO
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building
Block have provided them before implementing the security measures?
A. Information about what is specified in the employment contract.

B. Information about who employees should contact with any queries.
C. Information about how providing consent could affect them as employees.
D. Information about how the measures are in the best interests of the company.
Answer: A
NEW QUESTION 225

SCENARIO
base.

information.
The Customer for Life plan may conflict with which GDPR provision?
A. Article 6, which requires processing to be lawful.

B. Article 7, which requires consent to be as easy to withdraw as it is to give.
C. Article 16, which provides data subjects with a rights to rectification.
D. Article 20, which gives data subjects a right to data portability.
Answer: B
NEW QUESTION 230

According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by
the GDPR?
A. Where the technology supporting the website is located

B. Where the website is accessed
C. Where the decisions about processing are made
D. Where the customer’s Internet service provider is located
Answer: D
NEW QUESTION 232

Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?
A. Anonymizing special categories of data.

B. Conducting regular audits of the data protection program.
C. Getting consent from the data subject for a cross border data transfer.
D. Encrypting data in transit and at rest using strong encryption algorithms.
Answer: B
NEW QUESTION 235

What is the key difference between the European Council and the Council of the European Union?
A. The Council of the European Union is helmed by a president.

B. The Council of the European Union has a degree of legislative power.
C. The European Council focuses primarily on issues involving human rights.
D. The European Council is comprised of the heads of each EU member state.
Answer: D
NEW QUESTION 240

Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?
A. A company wants to combine location data with other data in order to offer more personalized service for the customer.
B. A company wants to use location data to infer information on a person’s clothes purchasing habits.
C. A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
D. A company wants to use location data to track delivery trucks in order to make the routes more efficient.
Answer: C
NEW QUESTION 242

SCENARIO
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to
the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they
can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to
tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best
accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires
will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the
new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices.
The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on
the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a
special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for
these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to
TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a
time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company,
Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files
onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a

crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the
company’s system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?
A. They must report it to TripBliss Inc.

B. They must conduct a full systems audit.
C. They must report it to the supervisory authority.
D. They must inform customers who have used the website.
Answer: B
NEW QUESTION 247

There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following
EXCEPT?
A. Consent management and withdrawal.

B. Incident detection and response.
C. Preventative security.
D. Remedial security.
Answer: A
NEW QUESTION 248

SCENARIO
Best.
the U.S.
Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?
A. New corporate governance and code of conduct.

B. A data protection impact assessment.
C. A comprehensive data inventory.
D. Hiring a data protection officer.
Answer: A
NEW QUESTION 251

......

THANKS FOR TRYING THE DEMO OF OUR PRODUCT
Visit Our Site to Purchase the Full Set of Actual CIPP-E Exam Questions With Answers.
We Also Provide Practice Exam Software That Simulates Real Exam Environment And Has Many Self-Assessment Features. Order the CIPP-
E Product From:
https://www.2passeasy.com/dumps/CIPP-E/
Money Back Guarantee
CIPP-E Practice Exam Features:
* CIPP-E Questions and Answers Updated Frequently
* CIPP-E Practice Questions Verified by Expert Senior Certified Staff
* CIPP-E Most Realistic Questions that Guarantee you a Pass on Your FirstTry
* CIPP-E Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

Powered by TCPDF (www.tcpdf.org)

Iapp Exambible Cipp

Uploaded by

Copyright:

Available Formats

Iapp Exambible Cipp

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iapp Exambible Cipp

Uploaded by

Copyright:

Available Formats

Welcome to download the Newest 2passeasy CIPP-E dumps

https://www.2passeasy.com/dumps/CIPP-E/ (206 New Questions)

Exam Questions CIPP-E

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. The mechanisms through which consent may be communicated

A. All member countries of the European Economic Area.

A. More information about Frank’s data protection training.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Data ownership allocation.

A. No marketing information at all.

A. The right to privacy is an absolute right

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. The establishment of a list of legitimate data processing criteria

A. The Court of Justice of the European Union.

A. That it essentially functions as a one-stop shop mechanism

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

B. That it takes the form of a Regulation as opposed to a Directive

A. Assessed potential privacy risks by conducting a data protection impact assessment.

A. The requirements affected individuals without exception.

A. It determines how long to retain the personal data collected.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. If obtaining consent is deemed to involve disproportionate effort.

A. When the personal data is processed only in non-electronic form

A. Pursue a GDPR-compliant Privacy by Design process.

A. Any act involving the collecting and recording of personal data.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Send out consent forms to all of its employees.

A. The recipients or categories of recipients.

A. Conduct analysis only on anonymized personal data.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Get consent from the app users.

A. When creating an untargeted pop-up ad on a website.

A. After a personal data breach.

A. The European Parliament

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Encrypt the data in transit over the wireless Bluetooth connection.

A. To encourage the consistency of local data processing activity.

A. Germany, because that is where T-Craze is headquartered.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. An evaluation of the complexity of the intended processing.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Notify its Data Protection Authority about the data breach.

A. Both govern international transfers of personal data

A. When an individual has not consented to the marketing.

A. To create and maintain records of processing activities.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

NEW QUESTION 103

NEW QUESTION 108

NEW QUESTION 111

A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.

NEW QUESTION 112

NEW QUESTION 116

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

A. Because of the misrepresentation of personal data as an endorsement.

NEW QUESTION 119

NEW QUESTION 124

A. Seek informed consent from company employees.

NEW QUESTION 127

A. When a user rejects cookies that are strictly necessary.