• Home
  • Articles
  • [Jun-2026] Pass CIPP-E Exam in First Attempt Updated CIPP-E Exam Questions [Q182-Q207]

[Jun-2026] Pass CIPP-E Exam in First Attempt Updated CIPP-E Exam Questions [Q182-Q207]

Share

[Jun-2026] Pass CIPP-E Exam in First Attempt Updated CIPP-E Exam Questions

Certified Information Privacy Professional Dumps CIPP-E Exam for Full Questions - Exam Study Guide


The CIPP-E certification exam is designed for professionals who are involved in privacy-related roles such as data protection officers, privacy consultants, privacy lawyers, compliance officers, and information security professionals. CIPP-E exam is also ideal for professionals who are looking to advance their careers in the privacy field or those who are new to the field and are looking to gain a comprehensive understanding of the privacy laws and regulations of Europe.


The CIPP-E Certification Exam is ideal for professionals who work in data protection, privacy, and security roles, including privacy officers, data protection officers, security professionals, and lawyers. Candidates who pass the exam will have a deep understanding of EU privacy laws and regulations and will be able to advise their organizations on data protection issues.


IAPP CIPP-E Exam is a certification that is designed for individuals who want to demonstrate their expertise in the field of privacy and data protection in Europe. CIPP-E exam is developed by the International Association of Privacy Professionals (IAPP) and is recognized globally as a leading certification in the privacy industry.

 

NEW QUESTION # 182
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

  • A. Information about what is specified in the employment contract.
  • B. Information about how the measures are in the best interests of the company.
  • C. Information about how providing consent could affect them as employees.
  • D. Information about who employees should contact with any queries.

Answer: D

Explanation:
According to the GDPR, when personal data is collected from the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the contact details of the data protection officer, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the data subject's rights, and any other information necessary to ensure fair and transparent processing1. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language2. Therefore, Building Block should have provided its employees with information about who they can contact with any queries regarding the monitoring, such as the data protection officer or the Privacy Office, as part of the information notice before implementing the security measures. This would enable the employees to exercise their rights, such as the right to access, rectify, erase, restrict or object to the processing of their personal data, or the right to lodge a complaint with a supervisory authority3. Reference: 1 Art. 13 GDPR - Information to be provided where personal data are collected from the data subject - General Data Protection Regulation (GDPR)2 Art. 12 GDPR - Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)3 Art. 15-22 GDPR - Rights of the data subject - General Data Protection Regulation (GDPR).


NEW QUESTION # 183
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

  • A. The European Commission
  • B. The European Parliament
  • C. The Article 29 Working Party
  • D. The European Council

Answer: A

Explanation:
Explanation/Reference: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/ adequacy-decisions_en


NEW QUESTION # 184
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

  • A. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.
  • B. Identify uses of data in a privacy notice mailed to the data subject.
  • C. Use a layered privacy notice on its website and in its email communications.
  • D. Provide only general information about its processing activities and offer a toll-free number for more information.

Answer: B


NEW QUESTION # 185
According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, if exfiltration of job application data (submitted through online application forms and stored on a webserver) resulted in personal information being accessible to unauthorized persons, this would be primarily considered what kind of breach?

  • A. An availability breach.
  • B. An integrity breach.
  • C. A confidentiality breach.
  • D. An accuracy breach.

Answer: C

Explanation:
According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.


NEW QUESTION # 186
What is the key difference between the European Council and the Council of the European Union?

  • A. The Council of the European Union has a degree of legislative power.
  • B. The European Council is comprised of the heads of each EU member state.
  • C. The European Council focuses primarily on issues involving human rights.
  • D. The Council of the European Union is helmed by a president.

Answer: B

Explanation:
Section: (none)


NEW QUESTION # 187
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  • A. Retention periods for erasure and deletion of categories of personal data.
  • B. Categories of recipients to whom the personal data have been disclosed.
  • C. Data inventory or data mapping exercises that have been conducted.
  • D. Incidents of personal data breaches, whether disclosed or not.

Answer: D

Explanation:
Article 30 of the GDPR requires controllers and processors to maintain records of their processing activities, which include information such as the purposes of the processing, the categories of personal data, the recipients of the data, the retention periods, and the security measures12. However, Article 30 does not require controllers to keep records of incidents of personal data breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34, which require controllers to notify the supervisory authority and the data subjects of any personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons34. References: 1: Article 30 of the GDPR 2: What do we need to document under Article 30 of the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR Explanation:
Reference: https://medium.com/golden-data/what-records-must-controllers-and-processors-keep-to-comply- with-eu-data-protection-law-3e8bac177695


NEW QUESTION # 188
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

  • A. The Court of Justice of the European Union.
  • B. The European Data Protection Board.
  • C. The Data Protection Authority.
  • D. The European Commission.

Answer: C


NEW QUESTION # 189
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The contact information of the controller and a description of the retention policy.
  • B. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • C. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
  • D. The identity and contact details of the controller and the reasons the data is being collected.

Answer: D

Explanation:
The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller's representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5.
Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory. References: 1: Article
13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and of the GDPR 4: Article 14(1)(a) and of the GDPR 5: Recital 60 of the GDPR


NEW QUESTION # 190
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

  • A. If the company's status as a documentary provider allows it to claim legitimate interest.
  • B. If obtaining consent is deemed to involve disproportionate effort.
  • C. If obtaining consent is deemed voluntary by local legislation.
  • D. If the company limits the footage to data subjects solely of legal age.

Answer: A

Explanation:
According to the GDPR, consent is one of the six lawful bases for processing personal data, but not the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate interests.
Legitimate interests can be invoked by controllers who process personal data for their own benefit or for the benefit of third parties, as long as such processing does not override the rights and freedoms of the data subjects, especially if they are children. The GDPR also recognizes that processing personal data for journalistic purposes or the purposes of academic, artistic or literary expression may be necessary for the exercise of the right to freedom of expression and information, which is a legitimate interest. Therefore, the company may not need to obtain the consent of everyone whose image they use for their documentary, if they can demonstrate that their processing is necessary for the purposes of their journalistic, artistic or literary expression, and that they have taken into account the reasonable expectations of the data subjects and the potential impact on their privacy. The company should also comply with any relevant national laws or codes of conduct that may apply to such processing. References:
* GDPR, Article 6(1)(a)-(f)
* GDPR, Recital 47
* GDPR, Article 85


NEW QUESTION # 191
The transparency principle is most directly related to which of the following rights?

  • A. Right to be forgotten.
  • B. Right to object
  • C. Right to restriction of processing.
  • D. Right to be informed.

Answer: B


NEW QUESTION # 192
SCENARIO
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information - name, location, and prior purchase history - with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms.
Under the GDPR, what are Natural Insight's security obligations with respect to the customer information it received from BHealthy?

  • A. Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history.
  • B. Only the security measures assessed by BHealthy prior to entering into the data processing contract.
  • C. Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.
  • D. The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject's purchase history.

Answer: A

Explanation:
According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing1. The GDPR does not prescribe specific security measures, but rather provides a list of factors to consider when determining the appropriate level of security, such as:
* The state of the art and the costs of implementation;
* The nature, scope, context and purposes of processing;
* The risk of varying likelihood and severity for the rights and freedoms of natural persons.
Therefore, the level of security required by the GDPR is not absolute, but relative to the specific circumstances of each processing activity. The GDPR also encourages the use of codes of conduct and certification mechanisms to demonstrate compliance with the security requirements1.
In the scenario, Natural Insight is a processor who receives customer information from BHealthy, a controller, for the purpose of providing pricing services. Natural Insight has a contractual obligation to implement technical and organisational measures to ensure the security of the data, as well as to comply with the GDPR.
Natural Insight's security obligations are not limited to the measures assessed by BHealthy prior to entering into the contract, nor to the level of security that a reasonable data subject would expect. Rather, Natural Insight must take into account the industry practices for protecting customer contact information and purchase history, as well as the potential risks that may arise from the processing, such as data breaches, identity theft, fraud, or discrimination. Natural Insight must also keep up with the state of the art and the costs of implementation, and adjust its security measures accordingly.
References:
* 4: Art. 32 GDPR Security of processing


NEW QUESTION # 193
A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

  • A. A state law requires facial recognition to verify attendance.
  • B. Processing is necessary for the legitimate interests pursed by the school.
  • C. The school places a notice near each camera.
  • D. The school gets explicit consent from the students.

Answer: D

Explanation:
Reference:
The use of facial recognition technology to track student attendance involves the processing of biometric data, which is a special category of personal data under the GDPR. Such data can only be processed under certain conditions, one of which is the explicit consent of the data subject1. Therefore, the school may provide a lawful basis for this processing if it obtains the explicit consent of the students (or their legal guardians, if the students are minors). The consent must be freely given, specific, informed and unambiguous, and the students must have the right to withdraw their consent at any time2. The other options do not provide a lawful basis for this processing, as they do not meet the requirements for processing special categories of data. Placing a notice near each camera does not constitute consent, nor does it comply with the transparency principle3. Processing for the legitimate interests of the school may be a valid basis for processing personal data in general, but not for processing biometric data, unless it is authorised by a specific law that provides suitable safeguards4. A state law that requires facial recognition to verify attendance may also be a valid basis for processing personal data in general, but not for processing biometric data, unless it is necessary for reasons of substantial public interest and provides suitable safeguards5. Reference:
Free CIPP/E Study Guide, page 24, section 3.2
CIPP/E Certification, page 19, section 3.2
Cipp-e Study guides, Class notes & Summaries, page 17, section 3.2
Special categories of personal data - General Data Protection Regulation (GDPR), Article 9 Consent - General Data Protection Regulation (GDPR), Article 7 Principles - General Data Protection Regulation (GDPR), Article 5 Lawfulness of processing - General Data Protection Regulation (GDPR), Article 6 Special categories of personal data - General Data Protection Regulation (GDPR), Article 9


NEW QUESTION # 194
In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

  • A. Adopting a risk-based approach and implementing supplementary measures as needed.
  • B. Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.
  • C. Storing all personal data within the borders of the European Union.
  • D. Obtaining explicit consent from each EU citizen for every individual data transfer.

Answer: A


NEW QUESTION # 195
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice's instruction to the company's IT Department violated Article 5 of the GDPR because the company failed to first do what?

  • A. Send out consent forms to all of its employees.
  • B. Minimize the amount of data collected for the lawsuit.
  • C. Encrypt the data from all of its employees.
  • D. Inform all of its employees about the lawsuit.

Answer: B


NEW QUESTION # 196
Through a combination of hardware failure and human error, the decryption key for a bank's customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

  • A. A data breach has not occurred because no data was exposed to any unauthorized individual.
  • B. A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.
  • C. A data breach has not occurred because the loss was not the result of hacking.
  • D. A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

Answer: B

Explanation:
A data breach is broadly defined as any incident that leads to the unauthorized access, disclosure, alteration, or destruction of personal data. While options A and B might seem plausible at first glance, they focus on a narrow interpretation of a breach.
The key here is theloss of confidentiality and/or integrity. Even though no one has actively stolen the data, the bank can no longer guarantee the confidentiality of the information, nor can it ensure the integrity of the data since it cannot be accessed or modified securely. This constitutes a loss of control over the data and thus qualifies as a data breach.
References:
IAPP CIPP/E textbook, Chapter 5: Data Breach Notification (specifically, the definition of a personal data breach) GDPR Article 4(12) - Definition of a personal data breach


NEW QUESTION # 197
When is data sharing agreement MOST likely to be needed?

  • A. When anonymized data is being shared.
  • B. When personal data is being shared between commercial organizations acting as joint data controllers.
  • C. When personal data is being proactively shared by a controller to support a police investigation.
  • D. When personal data is being shared with a public authority with powers to require the personal data to be disclosed.

Answer: B


NEW QUESTION # 198
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
Why is this company obligated to comply with the GDPR?

  • A. The company has offices in the EU.
  • B. The company's products are marketed directly to EU customers.
  • C. The company's data center is located in a country outside the EU.
  • D. The company employs staff in the EU.

Answer: B

Explanation:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of home and have the character's abilities remain intact.
Why is this company obligated to comply with the GDPR?
A) The company has offices in the EU. B. The company employs staff in the EU. C. The company's data center is located in a country outside the EU. D. The company's products are marketed directly to EU customers.
Answer
Verified answer: D. The company's products are marketed directly to EU customers.
Comprehensive Explanation: According to section 6(1) of the GDPR1, personal data shall be processed by organisations, which offer goods or services or otherwise carry out activities, in relation to which processing of personal data may be regarded as relevant for their legitimate interests. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance


NEW QUESTION # 199
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.
the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article
60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
  • B. Submit a draft decision to other supervisory authorities for their opinion.
  • C. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
  • D. Request that members of the seconding supervisory authority and the host supervisory authority co- draft a decision.

Answer: B

Explanation:
According to Article 60 of the GDPR, the lead authority (the CNIL in this case) shall cooperate with the other concerned supervisory authorities (the ICO and any other authority where EVERFIT has an establishment or where data subjects are affected) to reach a consensus on the case. The lead authority shall submit a draft decision to the other authorities for their opinion and take due account of their views. If the other authorities agree with the draft decision, the lead authority shall adopt and notify it to the controller (EVERFIT) and the complainant (Javier). If the other authorities object to the draft decision, they shall express their objections within a specified period and try to reach a consensus with the lead authority. If no consensus is reached, the matter shall be referred to the EDPB for a binding decision under the consistency mechanism (Article 65 of the GDPR). References: GDPR Cooperation and Enforcement, First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, Data protection: Commission adopts new rules to ensure stronger cooperation and enforcement, Article 65 FAQ


NEW QUESTION # 200
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
  • B. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
  • C. Submit a draft decision to other supervisory authorities for their opinion.
  • D. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.

Answer: C


NEW QUESTION # 201
Which of the following is NOT a role of works councils?

  • A. Determining what changes will affect employee working conditions.
  • B. Determining whether to approve or reject certain decisions of the employer that affect employees.
  • C. Determining whether employees' personal data can be processed or not.
  • D. Determining the monetary fines to be levied against employers for data breach violations of employee data.

Answer: D


NEW QUESTION # 202
What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?

  • A. Its penalties for violations of data protection rights were widely viewed as r sufficient.
  • B. IT did not account for the rapid growth of the Internet
  • C. It was implemented in a fragmented manner by a small number of states.
  • D. It did not include protections for sensitive personal data

Answer: C

Explanation:
Convention 108 was the first legally binding international instrument in the data protection field, adopted by the Council of Europe in 19811. However, it had some limitations that led to the creation of the Data Protection Directive (Directive 95/46/EC) by the European Union in 19952. One of the main failings of Convention 108 was that it was implemented in a fragmented manner by a small number of states, resulting in divergent and inconsistent national laws and practices3. The Data Protection Directive aimed to harmonize the data protection rules within the EU and to ensure a high level of protection for individuals' rights and freedoms2. Therefore, option C is the correct answer. Option A is incorrect because Convention 108 did account for the rapid growth of the Internet by allowing for amendments and protocols to adapt to technological developments1. Option B is incorrect because Convention 108 did include protections for sensitive personal data, such as those revealing racial origin, political opinions, religious beliefs, health, or sexual life1. Option D is incorrect because Convention 108 did not prescribe specific penalties for violations of data protection rights, but left it to the Parties to adopt appropriate sanctions and remedies1. Reference:
Convention 108 and Protocols
CIPP/E Certification
Convention 108+ and the Data Protection Framework of the EU


NEW QUESTION # 203
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

  • A. Conduct a thorough audit of all security systems
  • B. Document the loss of availability to demonstrate accountability
  • C. Notify affected individuals that their data was unavailable for a period of time.
  • D. Notify the supervisory authority about the loss of availability

Answer: B

Explanation:
According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident1. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. Therefore, a power outage that results in the loss of availability of customer data for six hours is considered a personal data breach under the GDPR.
Based on the WP 29's February, 2018 guidance, which was endorsed by the European Data Protection Board, company Z should document the loss of availability to demonstrate accountability3. The guidance states that controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, regardless of whether the breach needs to be notified to the supervisory authority or the data subjects. This documentation must enable the supervisory authority to verify compliance with the GDPR and must be made available to the supervisory authority on request4.
The other options (A, C, and D) are not required by the GDPR or the guidance, although they may be advisable or beneficial depending on the circumstances. Option A is not mandatory, as the GDPR only requires the controller to communicate the personal data breach to the data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons5. A temporary loss of availability may not pose such a high risk, unless it affects the data subject's essential services or activities. Option C is also not obligatory, as the GDPR only requires the controller to notify the supervisory authority of the personal data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons6. A short-term loss of availability may not entail such a risk, unless it affects a large number of data subjects or sensitive data. Option D is not specified by the GDPR or the guidance, although it may be a good practice to conduct a thorough audit of all security systems after a personal data breach to identify and address any vulnerabilities or weaknesses that may have contributed to the incident or may lead to future incidents. Reference:
1: Article 32 of the GDPR
2: Article 4 (12) of the GDPR
3: Endorsed WP29 Guidelines
4: Article 33 (5) of the GDPR
5: Article 34 (1) of the GDPR
6: Article 33 (1) of the GDPR
7: Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01
8: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
9: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679


NEW QUESTION # 204
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
What would be the most appropriate response to Jacks data subject access request?

  • A. The company should cite the need for an extension, and agree to provide the information requested in Jack's original DSAR within a period of 3 months.
  • B. The company should decline to provide any information, as the amount of information requested is too excessive to provide in one month.
  • C. The company should not provide any information, as the company is headquartered outside of the EU.
  • D. The company should provide all requested information except for the emails, as they are excluded from data access request requirements under the GDPR.

Answer: B

Explanation:
According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions. One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1. In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1. The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.
In this scenario, Jack's DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.
Option A is incorrect because the company's headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.
Option C is incorrect because the company cannot agree to provide the information requested in Jack's original DSAR within a period of 3 months, as this would violate the data subject's right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.
Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject's right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Reference:
Right of access
Territorial scope


NEW QUESTION # 205
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

  • A. The terms of service shall also enumerate all applicable anti-money laundering few.
  • B. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.
  • C. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.
  • D. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

Answer: D


NEW QUESTION # 206
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
What is the best option for the lead regulator when responding to the Spanish supervisory authority's notice that it plans to take action regarding Sofia's complaint?

  • A. Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.
  • B. Reject, because Right Target's processing was conducted throughout Europe.
  • C. Accept, because it did not receive any complaints.
  • D. Accept, because GDPR permits non-lead authorities to take action for such complaints.

Answer: A


NEW QUESTION # 207
......

Authentic Best resources for CIPP-E Online Practice Exam: https://pass4itsure.passleadervce.com/Certified-Information-Privacy-Professional/reliable-CIPP-E-exam-learning-guide.html

Related Articles

more
IAPP CIPP-E Certification Practice Exam