IAPP CIPP-E Last 24 Hours Result


13

Students Passed

90%

Average Marks

88%

Questions from this dumps

307

Total Questions

IAPP CIPP-E Dumps

Dumps4download providing 100% reliable Exam dumps that are verified by experts panel. Our Dumps4download CIPP-E study material are totally unique and exam questions are valid all over the world. By using our CIPP-E dumps we assure you that you will pass your exam on first attempt. You can easily score more than 97%.

100% exam passing Guarantee on your purchased exams.

100% money back guarantee if you will not clear your exam.

IAPP CIPP-E Practice Test Helps You Turn Dreams To Reality!

IT Professionals from every sector are looking up certifications to boost their careers. IAPP being the leader certification provider earns the most demand in the industry.

The IAPP Certification is your short-cut to an ever-growing success. In the process, Dumps4download is your strongest coordinator, providing you with the best CIPP-E Dumps PDF as well as Online Test Engine. Let’s steer your career to a more stable future with interactive and effective CIPP-E Practice Exam Dumps.

Many of our customers are already excelling in their careers after achieving their goals with our help. You can too be a part of that specialized bunch with a little push in the right direction. Let us help you tread the heights of success.

Apply for the CIPP-E Exam right away so you can get certified by using our IAPP Dumps.



Bulk Exams Package



2 Exams Files

10% off

  • 2 Different Exams
  • Latest and Most Up-todate Dumps
  • Free 3 Months Updates
  • Exam Passing Guarantee
  • Secure Payment
  • Privacy Protection

3 Exams Files

15% off

  • 3 Different Exams
  • Latest and Most Up-todate Dumps
  • Free 3 Months Updates
  • Exam Passing Guarantee
  • Secure Payment
  • Privacy Protection

5 Exams Files

20% off

  • 5 Different Exams
  • Latest and Most Up-todate Dumps
  • Free 3 Months Updates
  • Exam Passing Guarantee
  • Secure Payment
  • Privacy Protection

10 Exams Files

25% off

  • 10 Different Exams
  • Latest and Most Up-todate Dumps
  • Free 3 Months Updates
  • Exam Passing Guarantee
  • Secure Payment
  • Privacy Protection

Dumps4download Leads You To A 100% Success in First Attempt!

Our CIPP-E Dumps PDF is intended to meet the requirements of the most suitable method for exam preparation. We especially hired a team of experts to make sure you get the latest and compliant CIPP-E Practice Test Questions Answers. These questions are been selected according to the most relevance as well as the highest possibility of appearing in the exam. So, you can be sure of your success in the first attempt.

Interactive & Effective CIPP-E Dumps PDF + Online Test Engine

Aside from our IAPP CIPP-E Dumps PDF, we invest in your best practice through Online Test Engine. They are designed to reflect the actual exam format covering each topic of your exam. Also, with our interactive interface focusing on the exam preparation is easier than ever. With an easy-to-understand, interactive and effective study material assisting you there is nothing that could go wrong. We are 100% sure that our CIPP-E Questions Answers Practice Exam is the best choice you can make to pass the exam with top score.

How Dumps4download Creates Better Opportunities for You!

Dumps4download knows how hard it is for you to beat this tough IAPP Exam terms and concepts. That is why to ease your preparation we offer the best possible training tactics we know best. Online Test Engine provides you an exam-like environment and PDF helps you take your study guide wherever you are. Best of all, you can download CIPP-E Dumps PDF easily or better print it. For the purpose of getting concepts across as easily as possible, we have used simple language. Adding explanations at the end of the CIPP-E Questions and Answers Practice Test we ensure nothing slips your grasp.

The exam stimulation is 100 times better than any other test material you would encounter. Besides, if you are troubled with anything concerning Certified Information Privacy Professional/Europe (CIPP/E) Exam or the CIPP-E Dumps PDF, our 24/7 active team is quick to respond. So, leave us a message and your problem will be solved in a few minutes.

Get an Absolutely Free Demo Today!

Dumps4download offers an absolutely free demo version to test the product with sample features before actually buying it. This shows our concern for your best experience. Once you are thoroughly satisfied with the demo you can get the Certified Information Privacy Professional/Europe (CIPP/E) Practice Test Questions instantly.

24/7 Online Support – Anytime, Anywhere

Have a question? You can contact us anytime, anywhere. Our 24/7 Online Support makes sure you have absolutely no problem accessing or using Certified Information Privacy Professional/Europe (CIPP/E) Practice Exam Dumps. What’s more, Dumps4download is mobile compatible so you can access the site without having to log in to your Laptop or PC.

Features to use Dumps4download CIPP-E Dumps:

  • Thousands of satisfied customers.
  • Good grades are 100% guaranteed.
  • 100% verified by Experts panel.
  • Up to date exam data.
  • Dumps4download data is 100% trustworthy.
  • Passing ratio more than 99%
  • 100% money back guarantee.

IAPP CIPP-E Frequently Asked Questions

IAPP CIPP-E Sample Questions

Question # 1

Which of the following was the first to implement national law for data protection in 1973? 

A. France  
B. Sweden  
C. Germany  
D. United Kingdom  


Question # 2

SCENARIOPlease use the following to answer the next question:Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of amultinational pharmaceutical company on a clinical trial related to COVID-19. As part of hisonboarding process Jack received privacy training He was explicitly informed that while hewould need to process confidential patient data in the course of his work, he may under nocircumstances use this data for anything other than the performance of work-related (asksThis was also specified in the privacy policy, which Jack signed upon conclusion of thetraining.After several months of employment, Jack got into an argument with a patient over thephone. Out of anger he later posted the patient's name and hearth information, along withdisparaging comments, on a social media website. When this was discovered by hisPharmacovigilance supervisors. Jack was immediately dismissedJack's lawyer sent a letter to the company stating that dismissal was a disproportionatesanction, and that if Jack was not reinstated within 14 days his firm would have noalternative but to commence legal proceedings against the company. This letter wasaccompanied by a data access request from Jack requesting a copy of "all personal data,including internal emails that were sent/received by Jack or where Jack is directly orindirectly identifiable from the contents * In relation to the emails Jack listed six members ofthe management team whose inboxes he required access.The company conducted an initial search of its IT systems, which returned a large amountof information They then contacted Jack, requesting that he be more specific regardingwhat information he required, so that they could carry out a targeted search Jackresponded by stating that he would not narrow the scope of the information requester.What would be the most appropriate response to Jacks data subject access request?

A. The company should not provide any information, as the company is headquarteredoutside of the EU. 
B. The company should decline to provide any information, as the amount of informationrequested is too excessive to provide in one month. 
C. The company should cite the need for an extension, and agree to provide theinformation requested in Jack's original DSAR within a period of 3 months. 
D. The company should provide all requested information except for the emails, as they areexcluded from data access request requirements under the GDPR. 


Question # 3

The GDPR's list of processor obligations regarding cloud computing includes all of thefollowing EXCEPT?

A. Controllers must be given notice of any subprocessors and have a right of objection.  
B. Individuals authorized to process the personal data are subject to an obligation of confidentiality. 
C. Any personal data related to data subjects must be securely maintained for a maximumof ten years. 
D. Processors must implement technical and organizational measures to ensure a level ofsecurity appropriate to the risk. 


Question # 4

According to the European Data Protection Board, which of the following concepts orpractices does NOT follow from the principles relating to the processing of personal dataunder EU data protection law?

A. Data ownership allocation.  
B. Access control management.  
C. Frequent pseudonymization key rotation.  
D. Error propagation avoidance along the processing chain.  


Question # 5

What monitoring may lawfully be performed within the scope of Gentle Hedgehog'sbusiness?

A. Everything offered by Sauron Eye's software in relation to activity by sales team contractors. 
B. Everything offered by Sauron Eye's software, assuming employees provide dailyconsent to the monitoring. 
C. Only emails, website browsing history, and camera for internal video calls conducted ina non-secure environment. 
D. Only emails, website browsing history, and camera for internal video calls that areexpressly marked as monitored. 


Question # 6

ISO 31700 has set forth requirements relating to consumer products and services. Inparticular, this international standard focuses on the implementation of which of thefollowing?

A. Privacy by design.  
B. Comprehensive ethical Al software.  
C. Privacy notices for companies providing services to consumers.  
D. Automated systems for identifying EU data subjects' personal data.  


Question # 7

SCENARIOPlease use the following to answer the next question:Liem, an online retailer known for its environmentally friendly shoes, has recently expandedits presence in Europe. Anxious to achieve market dominance, Liem teamed up withanother eco friendly company, EcoMick, which sells accessories like belts and bags.Together the companies drew up a series of marketing campaigns designed to highlight theenvironmental and economic benefits of their products. After months of planning, Liem andEcoMick entered into a data sharing agreement to use the same marketing database,MarketIQ, to send the campaigns to their respective contacts.Liem and EcoMick also entered into a data processing agreement with MarketIQ, the termsof which included processing personal data only upon Liem and EcoMick’s instructions,and making available to them all information necessary to demonstrate compliance withGDPR obligations.Liem and EcoMick then procured the services of a company called JaphSoft, a marketingoptimization firm that uses machine learning to help companies run successful campaigns.Clients provide JaphSoft with the personal data of individuals they would like to be targetedin each campaign. To ensure protection of itsclients’ data, JaphSoft implements the technical and organizational measures it deemsappropriate. JaphSoft works to continually improve its machine learning models byanalyzing the data it receives from its clients to determine the most successful componentsof a successful campaign. JaphSoft then uses such models in providing services to itsclient-base. Since the models improve only over a period of time as more information iscollected, JaphSoft does not have a deletion process for the data it receives from clients.However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes thepersonal data by removing identifyinginformation from the contact information. JaphSoft’s engineers, however, maintain allcontact information in the same database as the identifying information.Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, whichincluded contact information as well as prior purchase history for such contacts, to createcampaigns that would result in the most views of the two companies’ websites. A prior Liemcustomer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s aswell as EcoMick’s latest products. While Ms. Iman recalls checking a box to receiveinformation in the future regarding Liem’s products, she has never shopped EcoMick, norprovided her personal data to that company.Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of thefollowing provisions EXCEPT?

A. Processing the personal data upon documented instructions regarding data transfersoutside of the EEA. 
B. Notification regarding third party requests for access to Liem and EcoMick’s personal data. 
C. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
D. Returning or deleting personal data after the end of the provision of the services.  


Question # 8

Which of the following is NOT recognized as a common characteristic of cloud computingservices?

A. The service's infrastructure is shared among the supplier's customers and can belocated in a number of countries. 
B. The supplier determines the location, security measures, and service standardsapplicable to the processing. 
C. The supplier allows customer data to be transferred around the infrastructure accordingto capacity.  
D. The supplier assumes the vendor's business risk associated with data processed by the supplier. 


Question # 9

SCENARIOPlease use the following to answer the next question:You have just been hired by a toy manufacturer based in Hong Kong. The company sells abroad range of dolls, action figures and plush toys that can be found internationally in awide variety of retail stores. Although the manufacturer has no offices outside Hong Kongand in fact does not employ any staff outside Hong Kong, it has entered into a number oflocal distribution contracts. The toys produced by the company can be found in all populartoy stores throughout Europe, the United States and Asia. A large portion of the company’srevenue is due to international sales.The company now wishes to launch a new range of connected toys, ones that can talk andinteract with children. The CEO of the company is touting these toys as the next big thing,due to the increased possibilities offered: The figures can answer children’s Questions: onvarious subjects, such as mathematical calculations or the weather. Each figure isequipped with a microphone and speaker and can connect to any smartphone or tablet viaBluetooth. Any mobile device within a 10-meter radius can connect to the toys viaBluetooth as well. The figures can also be associated with other figures (from the samemanufacturer) and interact with each other for an enhanced play experience.When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, andthe answer is generated on cloud servers and sent back to the figure. The answer is giventhrough the figure’s integratedspeakers, making it appear as though that the toy is actually responding to the child’sQUESTION. The packaging of the toy does not provide technical details on how this works,nor does it mention that this feature requires an internet connection. The necessary dataprocessing for this has been outsourced to a data center located in South Africa. However,your company has not yet revised its consumer-facing privacy policy to indicate this.In parallel, the company is planning to introduce a new range of game systems throughwhich consumers can play the characters they acquire in the course of playing the game.The system will come bundled with a portal that includes a Near-Field Communications(NFC) reader. This device will read an RFID tag in the action figure, making the figurecome to life onscreen. Each character has its own stock features and abilities, but it is alsopossible to earn additional ones by accomplishing game goals. The only information storedin the tag relates to the figures’ abilities. It is easy to switch characters during the game,and it is possible to bring the figure to locations outside of the home and have thecharacter’s abilities remain intact.To ensure GDPR compliance, what should be the company’s position on the issue ofconsent?

A. The child, as the user of the action figure, can provide consent himself, as long as noinformation is shared for marketing purposes. 
B. Written authorization attesting to the responsible use of children’s data would need to beobtained from the supervisory authority. 
C. Consent for data collection is implied through the parent’s purchase of the action figurefor the child. 
D. Parental consent for a child’s use of the action figures would have to be obtained beforeany data could be collected. 


Question # 10

Bioface is a company based in the United States. It has no servers, personnel or assets inthe European Union. By collecting photographs from social media and other web-basedservices, such as newspapers and blogs, it uses machine learning to develop a facialrecognition algorithm. The algorithm identifies individuals in photographs who are not in itsdata set based the algorithm and its existing data. The service collects photographs of datasubjects in the European Union and will identify them if presented with their photographs.Bioface offers its service to government agencies and companies in the United States andCanada, but not to those in the European Union. Bioface does not offer the service toindividuals.Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A. It collects data from European Union websites, which constitutes an establishment in theEuropean Union. 
B. It offers services in the European Union by identifying data subjects in the European Union. 
C. It collects data from subjects and uses it for automated processing.  
D. It monitors the behavior of data subjects in the European Union.  


Question # 11

Which of the following is NOT a role of works councils? 

A. Determining the monetary fines to be levied against employers for data breach violationsof employee data. 
B. Determining whether to approve or reject certain decisions of the employer that affectemployees. 
C. Determining whether employees’ personal data can be processed or not.  
D. Determining what changes will affect employee working conditions.  


Question # 12

SCENARIOPlease use the following to answer the next question:You have just been hired by a toy manufacturer based in Hong Kong. The company sells abroad range of dolls, action figures and plush toys that can be found internationally in awide variety of retail stores. Although the manufacturer has no offices outside Hong Kongand in fact does not employ any staff outside Hong Kong, it has entered into a number oflocal distribution contracts. The toys produced by the company can be found in all populartoy stores throughout Europe, the United States and Asia. A large portion of the company’srevenue is due to international sales.The company now wishes to launch a new range of connected toys, ones that can talk andinteract with children. The CEO of the company is touting these toys as the next big thing,due to the increased possibilities offered: The figures can answer children’s Questions: onvarious subjects, such as mathematical calculations or the weather. Each figure isequipped with a microphone and speaker and can connect to any smartphone or tablet viaBluetooth. Any mobile device within a 10-meter radius can connect to the toys viaBluetooth as well. The figures can also be associated with other figures (from the samemanufacturer) and interact with each other for an enhanced play experience.When a child asks the toy a question, the request is sent to the cloud for analysis, and theanswer is generated on cloud servers and sent back to the figure. The answer is giventhrough the figure’s integratedspeakers, making it appear as though that the toy is actually responding to the child’squestion. The packaging of the toy does not provide technical details on how this works,nor does it mention that this feature requires an internet connection. The necessary dataprocessing for this has been outsourced to a data center located in South Africa. However,your company has not yet revised its consumer-facing privacy policy to indicate this.In parallel, the company is planning to introduce a new range of game systems throughwhich consumers can play the characters they acquire in the course of playing the game.The system will come bundled with a portal that includes a Near-Field Communications(NFC) reader. This device will read an RFID tag in the action figure, making the figurecome to life onscreen. Each character has its own stock features and abilities, but it is alsopossible to earn additional ones by accomplishing game goals. The only information storedin the tag relates to the figures’ abilities. It is easy to switch characters during the game,and it is possible to bring the figure to locations outside of the home and have thecharacter’s abilities remain intact.What presents the BIGGEST potential privacy issue with the company’s practices?

A. The NFC portal can read any data stored in the action figures  
B. The information about the data processing involved has not been specified  
C. The cloud service provider is in a country that has not been deemed adequate  
D. The RFID tag in the action figures has the potential for misuse because of the toy’sevolving capabilities 


Question # 13

What must a data controller do in order to make personal data pseudonymous? 

A. Separately hold any information that would allow linking the data to the data subject.  
B. Encrypt the data in order to prevent any unauthorized access or modification.  
C. Remove all indirect data identifiers and dispose of them securely.  
D. Use the data only in aggregated form for research purposes.  


Question # 14

SCENARIOPlease use the following to answer the next question:Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of amultinational pharmaceutical company on a clinical trial related to COVID-19. As part of hisonboarding process Jack received privacy training He was explicitly informed that while hewould need to process confidential patient data in the course of his work, he may under nocircumstances use this data for anything other than the performance of work-related (asksThis was also specified in the privacy policy, which Jack signed upon conclusion of thetraining.After several months of employment, Jack got into an argument with a patient over thephone. Out of anger he later posted the patient's name and hearth information, along withdisparaging comments, on a social media website. When this was discovered by hisPharmacovigilance supervisors. Jack was immediately dismissedJack's lawyer sent a letter to the company stating that dismissal was a disproportionatesanction, and that if Jack was not reinstated within 14 days his firm would have noalternative but to commence legal proceedings against the company. This letter wasaccompanied by a data access request from Jack requesting a copy of "all personal data,including internal emails that were sent/received by Jack or where Jack is directly orindirectly identifiable from the contents In relation to the emails Jack listed six members ofthe management team whose inboxes he required access.The company conducted an initial search of its IT systems, which returned a large amountof information They then contacted Jack, requesting that he be more specific regardingwhat information he required, so that they could carry out a targeted search Jackresponded by stating that he would not narrow the scope of the information requester.Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liablefor the damage caused by the data breach?

A. Both parties are exempt, as the company is involved in human health research  
B. Jack and the pharmaceutical company are jointly liable.  
C. The pharmaceutical company is liable.  
D. Jack is liable  


Question # 15

Which of the following Convention 108+ principles, as amended in 2018, is NOT consistentwith a principle found in the GDPR?

A. The obligation of companies to declare data breaches.  
B. The requirement to demonstrate compliance to a supervisory authority.  
C. The necessity of the bulk collection of personal data by the government.  


Question # 16

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-tickedboxes?

A. They are allowed if determined to be technically necessary.  
B. They do not amount to valid consent under any circumstances.  
C. They are allowed if recorded In the register of processing activities.  
D. They constitute valid consent if the processing is necessary for purposes of legitimate interest


Question # 17

The European Parliament jointly exercises legislative and budgetary functions with which ofthe following?

A. The European Commission.  
B. The Article 29 Working Party.  
C. The Council of the European Union.  
D. The European Data Protection Board.  


Question # 18

A multinational company is appointing a mandatory data protection officer. In addition toconsidering the rules set out in Article 37 (1) of the GDPR, which of the following actionsmust the company also undertake to ensure compliance in all EU jurisdictions in which itoperates?

A. Consult national derogations to evaluate if there are additional cases to be considered inrelation to the matter. 
B. Conduct a Data Protection Privacy Assessment on the processing operations of thecompany in all the countries it operates.
C. Assess whether the company has more than 250 employees in each of the EU memberstates in which it is established. 
D. Revise the data processing activities of the company that affect more than onejurisdiction to evaluate whether they comply with the principles of privacy by design and bydefault. 


Question # 19

SCENARIOPlease use the following to answer the next question:Gentle Hedgehog Inc. is a privately owned website design agency incorporated inItaly. The company has numerous remote workers in different EU countries. Recently,the management of Gentle Hedgehog noticed a decrease in productivity of their salesteam, especially among remote workers. As a result, the company plans to implementa robust but privacy-friendly remote surveillance system to prevent absenteeism,reward top performers, and ensure the best quality of customer service when salespeople are interacting with customers.Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employeesurveillance software whose European headquarters is in Germany. Sauron Eye'ssoftware provides powerful remote-monitoring capabilities, including 24/7 access tocomputer cameras and microphones, screen captures, emails, website history, andkeystrokes. Any device can be remotely monitored from a central server that issecurely installed at Gentle Hedgehog headquarters. The monitoring is invisible bydefault; however, a so-called Transparent Mode, which regularly and conspicuouslynotifies all users about the monitoring and its precise scope, also exists. Additionally,the monitored employees are required to use a built-in verification technologyinvolving facial recognition each time they log in.All monitoring data, including the facial recognition data, is securely stored in MicrosoftAzure cloud servers operated by Sauron Eye, which are physically located in France.What is the main problem with the 24/7 camera monitoring?

A. It must not be operated during non-business hours and employee holidays.  
B. It may accidentally film third parties whose consent is required for monitoring.  
C. It has no valid legal basis to be implemented in the context of Gentle Hedgehog's business.  
D. It must first be approved by the trade union and then granted a license from the nationalDPA. 


Question # 20

Under Article 21 of the GDPR, a controller must stop profiling when requested by a datasubject, unless it can demonstrate compelling legitimate grounds that override the interestsof the individual. In the Guidelines on Automated individual decision-making and Profiling,the WP 29 says the controller needs to do all of the following to demonstrate that it hassuch legitimate grounds EXCEPT?

A. Carry out an exercise that weighs the interests of the controller and the basis for thedata subject’s objection. 
B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.  
C. Demonstrate that the profiling is for the purposes of direct marketing.  
D. Consider the importance of the profiling to their particular objective.  


Question # 21

SCENARIOPlease use the following to answer the next question:T-Craze, a German-headquartered specialty t-shirt company, was successfully selling tolarge German metropolitan cities. However, after a recent merger with another Germanbased company that was selling to a broader European market, T-Craze revamped itsmarketing efforts to sell to a wider audience. These efforts included a complete redesign ofits logo to reflect the recent merger, and improvements to its website meant to capturemore information about visitors through the use of cookies.T-Craze also opened various office locations throughout Europe to help expand itsbusiness. While GermanyTarget, a renowned marketing firm based in the Philippines, to run its latest marketingcampaign. After thorough research, Right Target determined that T-Craze is mostsuccessful with customers between the ages of 18 and 22. Thus, its first campaign targeteduniversity students in several European capitals, which yielded nearly 40% new customersfor T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze,though with much less success.The last two campaigns included a wider demographic group and resulted in countlessunsubscribe requests, including a large number in Spain. In fact, the Spanish dataprotection authority received a complaint from Sofia, a mid-career investment banker. Sofiawas upset after receiving a marketing communication even after unsubscribing from suchcommunications from the Right Target on behalf of T-Craze.What is the best option for the lead regulator when responding to the Spanish supervisoryauthority’s notice that it plans to take action regarding Sofia’s complaint?

A. Accept, because it did not receive any complaints.  
B. Accept, because GDPR permits non-lead authorities to take action for such complaints.  
C. Reject, because Right Target’s processing was conducted throughout Europe.  
D. Reject, because GDPR does not allow other supervisory authorities to take action ifthere is a lead authority. 


Question # 22

If a company chooses to ground an international data transfer on the contractual route,which of the following is NOT a valid set of standard contractual clauses?

A. Decision 2001/497/EC (EU controller to non-EU or EEA controller).  
B. Decision 2004/915/EC (EU controller to non-EU or EEA controller).  
C. Decision 2007/72/EC (EU processor to non-EU or EEA controller).  
D. Decision 2010/87/EU (Non-EU or EEA processor from EU controller).  


Question # 23

Which statement is correct when considering the right to privacy under Article 8 of theEuropean Convention on Human Rights (ECHR)?

A. The right to privacy is an absolute right  
B. The right to privacy has to be balanced against other rights under the ECHR  
C. The right to freedom of expression under Article 10 of the ECHR will always override theright to privacy 
D. The right to privacy protects the right to hold opinions and to receive and impart ideaswithout interference 


Question # 24

SCENARIOPlease use the following to answer the next question:Gentle Hedgehog Inc. is a privately owned website design agency incorporated inItaly. The company has numerous remote workers in different EU countries. Recently,the management of Gentle Hedgehog noticed a decrease in productivity of their salesteam, especially among remote workers. As a result, the company plans to implementa robust but privacy-friendly remote surveillance system to prevent absenteeism,reward top performers, and ensure the best quality of customer service when salespeople are interacting with customers.Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employeesurveillance software whose European headquarters is in Germany. Sauron Eye'ssoftware provides powerful remote-monitoring capabilities, including 24/7 access tocomputer cameras and microphones, screen captures, emails, website history, andkeystrokes. Any device can be remotely monitored from a central server that issecurely installed at Gentle Hedgehog headquarters. The monitoring is invisible bydefault; however, a so-called Transparent Mode, which regularly and conspicuouslynotifies all users about the monitoring and its precise scope, also exists. Additionally,the monitored employees are required to use a built-in verification technologyinvolving facial recognition each time they log in.All monitoring data, including the facial recognition data, is securely stored in MicrosoftAzure cloud servers operated by Sauron Eye, which are physically located in France.What monitoring may be lawfully performed within the scope of Gentle Hedgehog'sbusiness?

A. Everything offered by Sauron Eye's software with the exception of camera andmicrophone monitoring. 
B. Everything offered by Sauron Eye's software, assuming employees provide dailyconsent to the monitoring. 
C. Only video calls conducted during business hours and emails that do not contain a"private" or "personal" tag. 
D. Only emails, website browsing history and camera for internal video calls that areexpressly marked as monitored. 


Question # 25

Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing? 

A. When an individual has not consented to the marketing.  
B. When an individual’s details are obtained from their inquiries about buying a product.  
C. Where an individual’s details have been obtained from a bought-in marketing list.  
D. Where an individual is given the ability to unsubscribe from marketing emails sent to him. 


Question # 26

The GDPR forbids the practice of “forum shopping”, which occurs when companies dowhat?

A. Choose the data protection officer that is most sympathetic to their business concerns.  
B. Designate their main establishment in member state with the most flexible practices.  
C. File appeals of infringement judgments with more than one EU institution simultaneously
D. Select third-party processors on the basis of cost rather than quality of privacy protection.  


Question # 27

SCENARIOPlease use the following to answer the next question:You have just been hired by a toy manufacturer based in Hong Kong. The company sells abroad range of dolls, action figures and plush toys that can be found internationally in awide variety of retail stores. Although the manufacturer has no offices outside Hong Kongand in fact does not employ any staff outside Hong Kong, it has entered into a number oflocal distribution contracts. The toys produced by the company can be found in all populartoy stores throughout Europe, the United States and Asia. A large portion of the company’srevenue is due to international sales.The company now wishes to launch a new range of connected toys, ones that can talk andinteract with children. The CEO of the company is touting these toys as the next big thing,due to the increased possibilities offered: The figures can answer children’s Questions: onvarious subjects, such as mathematical calculations or the weather. Each figure isequipped with a microphone and speaker and can connect to any smartphone or tablet viaBluetooth. Any mobile device within a 10-meter radius can connect to the toys viaBluetooth as well. The figures can also be associated with other figures (from the samemanufacturer) and interact with each other for an enhanced play experience.When a child asks the toy a question, the request is sent to the cloud for analysis, and theanswer is generated on cloud servers and sent back to the figure. The answer is giventhrough the figure’s integratedspeakers, making it appear as though that the toy is actually responding to the child’squestion. The packaging of the toy does not provide technical details on how this works,nor does it mention that this feature requires an internet connection. The necessary dataprocessing for this has been outsourced to a data center located in South Africa. However,your company has not yet revised its consumer-facing privacy policy to indicate this.In parallel, the company is planning to introduce a new range of game systems throughwhich consumers can play the characters they acquire in the course of playing the game.The system will come bundled with a portal that includes a Near-Field Communications(NFC) reader. This device will read an RFID tag in the action figure, making the figurecome to life onscreen. Each character has its own stock features and abilities, but it is alsopossible to earn additional ones by accomplishing game goals. The only information storedin the tag relates to the figures’ abilities. It is easy to switch characters during the game,and it is possible to bring the figure to locations outside of the home and have thecharacter’s abilities remain intact.Why is this company obligated to comply with the GDPR?

A. The company has offices in the EU.  
B. The company employs staff in the EU.  
C. The company’s data center is located in a country outside the EU.  
D. The company’s products are marketed directly to EU customers.  


Question # 28

SCENARIOPlease use the following to answer the next question:Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located inGreece (5), Italy (15) and Spain (1), have registered their most profitable resultsever. To celebrate this achievement, ARRA Hotels' Human Resources office, basedin ARRA's main Italian establishment, has organized a team event for its 420employees and their families at its hotel in Spain.Upon arrival at the hotel, each employee and family member is given an electronicwristband at the reception desk. The wristband serves a number of functions:. Allows access to the "party zone" of the hotel, and emits a buzz if the userapproaches any unauthorized areas. Allows up to three free drinks for each person of legal age, and emits abuzz once this limit has been reached. Grants a unique ID number for participating in the games and contests thathave been planned.Along with the wristband, each guest receives a QR code that leads to the onlineprivacy notice describing the use of the wristband. The page also contains anunchecked consent checkbox. In the case of employee family members under theage of 16, consent must be given by a parent.Among the various activities planned for the event, ARRA Hotels' HR office hasautonomously set up a photocall area, separate from the main event venue, whereemployees can come and have their pictures taken in traditional carnival costume.The photos will be posted on ARRA Hotels' main website for general marketingpurposes.On the night of the event, an employee from one of ARRA's Greek hotels isdispleased with the results of the photos in which he appears. He intends to file acomplaint with the relevant supervisory authority in regard to the following:. The lack of any privacy notice in the separate photocall areaThe unlawful cross-border processing of his personal data. The unacceptable aesthetic outcome of his photosWhich of the following principles has likely been violated in the processing of thephotocall photos containing personal data?

A. Adequacy.  
B. Lawfulness.  
C. Transparency.  
D. Data minimization.  


Question # 29

A company would like to implement CCTV monitoring in its offices for safety and securitypurposes. Which of the following would be the best legal basis for the company to relyupon?

A. Public interest.  
B. Individual consent  
C. Legitimate interest.  
D. Exercise of pubic authority.  


Question # 30

SCENARIOPlease use the following to answer the next question:ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. Theyuse an internet-based common platform for collecting and sharing their customer data witheach other, in order to integrate their marketing efforts. Additionally, they agree on the datato be stored, how reservations will be booked and confirmed, and who has access to thestored data.Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agencyto stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program thatallows customers to sign up to accumulate points that can later be redeemed for free travel.Mike has signed the agreement to be a rewards program member.Now Mike wants to know what personal information the company holds about him. Hesends an email requesting access to his data, in order to exercise what he believes are hisdata subject rights.What is the time period in which Mike should receive a response to his request?

A. Not more than one month of receipt of Mike’s request.  
B. Not more than two months after verifying Mike’s identity.  
C. When all the information about Mike has been collected.  
D. Not more than thirty days after submission of Mike’s request.  


Question # 31

SCENARIOPlease use the following to answer the next question:Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer thatemploys approximately 650 people at its headquarters based in Dublin, Ireland. Martin istheir recently appointed data protection officer, who oversees the company’s compliancewith the General Data Protection Regulation (GDPR) and other privacy legislation.The company offers both male and female clothing lines across all age demographics,including children. In doing so, the company processes large amounts of information aboutsuch customers, including preferences and sensitive financial information such as creditcard and bank account numbers.In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the companyis launching a new mobile app and loyalty scheme that puts significant emphasis onprofiling the company’s customers by analyzing their purchases. Martin tells the CEO that:(a) the potential risks of such activities means that Zandelay needs to carry out a dataprotection impact assessment to assess this new venture and its privacy implications; and(b) where the results of this assessment indicate a high risk in the absence of appropriateprotection measures. Zandelay may have to undertake a prior consultation with the IrishData Protection Commissioner before implementing the app and loyalty scheme.Jerry tells Martin that he is not happy about the prospect of having to directly engage with asupervisory authority and having to disclose details of Zandelay’s business plan andassociated processing activities.What must Zandelay provide to the supervisory authority during the prior consultation?

A. An evaluation of the complexity of the intended processing.  
B. An explanation of the purposes and means of the intended processing.  
C. Records showing that customers have explicitly consented to the intended profiling activities.
D. Certificates that prove Martin’s professional qualities and expert knowledge of dataprotection law.


Question # 32

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if? 

A. It cannot be attributed to a data subject without the use of additional information.  
B. It cannot be attributed to a person under any circumstances.  
C. It can only be attributed to a person by the controller.  
D. It can only be attributed to a person by a third party.  


Question # 33

An organisation receives a request multiple times from a data subject seeking to exercisehis rights with respect to his own personal data. Under what condition can the organisationcharge the data subject for processing the request?

A. Only where the organisation can show that it is reasonable to do so because more thanone request was made. 
B. Only to the extent this is allowed under the restrictions on data subjects’ rightsintroduced under Art 23 of GDPR. 
C. Only where the administrative costs of taking the action requested exceeds a certainthreshold.  
D. Only if the organisation can demonstrate that the request is clearly excessive or misguided. 


Question # 34

SCENARIOPlease use the following to answer the next question:BHealthy, a company based in Italy, is ready to launch a new line of natural products, witha focus on sunscreen. The last step prior to product launch is for BHealthy to conductresearch to decide how extensively to market its new line of sunscreens across Europe. Todo so, BHealthy teamed up with Natural Insight, a company specializing in determiningpricing for natural products. BHealthy decided to share its existing customer information –name, location, and prior purchase history – with Natural Insight. Natural Insight intends touse this information to train its algorithm to help determine the price point at whichBHealthy can sell its new sunscreens.Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s securitypractices and concluded that the company has sufficient security measures to protect thecontact information. Additionally, BHealthy’s data processing contractual terms with NaturalInsight require continued implementation of technical and organization measures. Alsoindicated in the contract are restrictions on use of the data provided by BHealthy for anypurpose beyond provision of the services, which include use of the data for continuedimprovement of Natural Insight’s machine learning algorithms.What is the nature of BHealthy and Natural Insight’s relationship?

A. Natural Insight is BHealthy’s processor because the companies entered into dataprocessing terms. 
B. Natural Insight is BHealthy’s processor because BHealthy is sharing its customerinformation with Natural Insight. 
C. Natural Insight is the controller because it determines the security measures toimplement to protect data it processes; BHealthy is a co-controller because it engagedNatural Insight to determine pricing for the new sunscreens. 
D. Natural Insight is a controller because it is separately determine the purpose ofprocessing when it uses BHealthy’s customer information to improve its machine learningalgorithms. 


Question # 35

SCENARIOPlease use the following to answer the next question:Anna and Frank both work at Granchester University. Anna is a lawyer responsible for dataprotection, while Frank is a lecturer in the engineering department. The Universitymaintains a number of types of records:Student records, including names, student numbers, home addresses, preuniversity information, university attendance and performance records, details ofspecial educational needs and financial information.Staff records, including autobiographical materials (such as curricula, professionalcontact files, student evaluations and other relevant teaching files).Alumni records, including birthplaces, years of birth, dates of matriculation andconferrals of degrees. These records are available to former students afterregistering through Granchester’s Alumni portal. Department for Educationrecords, showing how certain demographic groups (such as first-generationstudents) could be expected, on average, to progress. These records do notcontain names or identification numbers.Under their security policy, the University encrypts all of its personal data recordsin transit and at rest.In order to improve his teaching, Frank wants to investigate how his engineering studentsperform in relational to Department for Education expectations. He has attended one ofAnna’s data protection training courses and knows that he should use no more personaldata than necessary to accomplish his goal. He creates aprogram that will only export some student data: previous schools attended, gradesoriginally obtained, grades currently obtained and first time university attended. He wants tokeep the records at the individual student level. Mindful of Anna’s training, Frank runs thestudent numbers through an algorithm to transform them into different reference numbers.He uses the same algorithm on each occasion so that he can update each record overtime.One of Anna’s tasks is to complete the record of processing activities, as required by theGDPR. After receiving her email reminder, as required by the GDPR. After receiving heremail reminder, Frank informs Anna about his performance database.Ann explains to Frank that, as well as minimizing personal data, the University has to checkthat this new use of existing data is permissible. She also suspects that, under the GDPR,a risk analysis may have to be carried out before the data processing can take place. Annaarranges to discuss this further with Frank after she hasdone some additional research.Frank wants to be able to work on his analysis in his spare time, so he transfers it to hishome laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into theUniversity he loses it on the train. Frank has to see Anna that day to discuss compatibleprocessing. He knows that he needs to report security incidents, so he decides to tell Annaabout his lost laptop at the same time.Anna will find that a risk analysis is NOT necessary in this situation as long as?

A. The data subjects are no longer current students of Frank’s  
B. The processing will not negatively affect the rights of the data subjects  
C. The algorithms that Frank uses for the processing are technologically sound  
D. The data subjects gave their unambiguous consent for the original processing  


Question # 36

Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search enginescases, all of the following would be valid grounds for data subject delisting requestsEXCEPT?

A. The personal dale has been collected in relation to the offer of Information societyservices (ISS) to a child. 
B. The data subject withdraws consent and there is no other legal basis for the processing.  
C. The personal data is no longer necessary in relation to the search engine provider'sprocessing 
D. The processing s necessary for exercising the right of freedom of expression andinformation 


Question # 37

According to the European Data Protection Board, data subjects should be aware of anyvideo surveillance in operation. How should a retail shop operator ensure that data subjectsreceive at information required for such a purpose under EU data protection law?

A. The shop operator should post a copy of the manual of the video surveillance system inthe shop and on its social media channels. 
B. The shop operator should provide full notice of the intended video surveillance outsidethe shop, for example with a sign or a stand-up display. 
C. The shop operator should instruct the data protection officer to hand out acomprehensive notice to data subjects every time they enter the shop. 
D. The shop operator should provide the most important information on a clearly readablewarning sign to data subjects before they enter the monitored area, and additionalmandatory details by other means. 


Testimonials

Questions in the CIPP-E dumps and actual exam were relatively similar. Dumps4download made it easy and possible for me to achieve 94% marks in the CIPP-E exam. Thank you Dumps4download.

UxMhSLHtjTomYUt

Dumps4download has made the CIPP-E exam pretty much easy for me with their practice software. I passed my exam with an excellent score.

john

I was clueless about the CIPP-E exam. The Dumps4download exam guide aided me in passing my exam. I scored 88% marks.

Blaine

Brilliant pdf files for exam Q&A by Dumps4download.com for the IAPP CIPP-E exam. I recently passed my exam with excellent grades. Credit goes to Dumps4download. Keep up the good work guys.

For

I was stuck in the same post in the office, so I thought of taking the CIPP-E exam. With the help of Dumps4download.com, I passed my CIPP-E exam. It gave a sudden boost to my career, I got the promotion I needed, thanks Dumps4download.

Paulo