CIPP-E Exam Questions

Total 206 Questions

Last Updated Exam : 16-Dec-2024

A U.S. company’s website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?


A.

The widgets are offered in EU and priced in euro.


B.

The website is in English and French, and is accessible in France.


C.

An affiliate office is located in France but the processing is in the U.S.


D.

The website places cookies to monitor the EU website user behavior.





B.
  

The website is in English and French, and is accessible in France.



Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a
few months ago. Although no one was hurt, Louis has been plagued by texts and calls from
a company called Accidentable offering to help him recover compensation for personal
injury. Louis has heard about insurance companies selling customers’ data to third parties,
and he’s convinced that Accidentable must have gotten his information from Bedrock
Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock,
trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and
has been shocked to find that other insurers offer much cheaper rates than Bedrock, even
though he has been a loyal customer for many years. When his Bedrock policy comes up
for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with
information about his No Claims bonus, his vehicle and his driving history. After
researching his rights under the GDPR, he writes to ask Bedrock to transfer his information
directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his
personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his
No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is
not technically feasible. Bedrock also explains that Louis’s contract included a provision
whereby Louis agreed that his data could be used for marketing purposes; according to
Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he
recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He
writes to Accidentable to ask for the name of the organization that supplied his details to
them. He warns Accidentable that he plans to complain to the data protection authority,
because he thinks their company has been using his data unlawfully. His letter states that
he does not want his data being used by them in any way.
Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock
Insurance’s wholly owned subsidiary, and they received information about Louis’s accident
from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis
that there has been no breach of the GDPR, as Louis’s contract included, a provision in
which he agreed to share his information with Bedrock’s affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them
insisting that all his information be erased from their computer system.
Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data
portability request?


A.

Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.


B.

Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.


C.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.


D.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.





B.
  

Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.



Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded
its presence in Europe. Anxious to achieve market dominance, Liem teamed up with
another eco friendly company, EcoMick, which sells accessories like belts and bags.
Together the companies drew up a series of marketing campaigns designed to highlight the
environmental and economic benefits of their products. After months of planning, Liem and
EcoMick entered into a data sharing agreement to use the same marketing database,
MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms
of which included processing personal data only upon Liem and EcoMick’s instructions,
and making available to them all information necessary to demonstrate compliance with
GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing
optimization firm that uses machine learning to help companies run successful campaigns.
Clients provide JaphSoft with the personal data of individuals they would like to be targeted
in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems
appropriate. JaphSoft works to continually improve its machine learning models by
analyzing the data it receives from its clients to determine the most successful components
of a successful campaign. JaphSoft then uses such models in providing services to its
client-base. Since the models improve only over a period of time as more information is
collected, JaphSoft does not have a deletion process for the data it receives from clients.
However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the
personal data by removing identifying
information from the contact information. JaphSoft’s engineers, however, maintain all
contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which
included contact information as well as prior purchase history for such contacts, to create
campaigns that would result in the most views of the two companies’ websites. A prior Liem
customer, Ms. Iman, received a marketing campaign
from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman
recalls checking a box to receive information in the future regarding Liem’s products, she
has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to
JaphSoft?


A.

Shewas not told which controller would be processing her personal data.


B.

She only viewed the visual representations of the privacy notice Liem provided.


C.

She did not read the privacy notice stating that her personal data would be shared.


D.

She has never made any purchases from JaphSoft and has no relationship with the
company.





C.
  

She did not read the privacy notice stating that her personal data would be shared.



Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own
business for two years. Brady’s business provides a low-cost suite of services to customers
throughout the European Economic Area (EEA). The services are targeted towards new
and aspiring small business owners. Brady’s company, called Brady Box, provides web
page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna
recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to
public viewing. Although she realized her mistake two weeks later and removed the
document, Anna is holding Brady Box responsible for not noticing the error through regular
monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was
transferred to a third- party contractor called Hermes Designs and worries that sensitive
information regarding his business plans may be misused. Brady does not believe he
violated European privacy rules. He provides a privacy notice to all of his customers
explicitly stating that personal data may be transferred to specific third parties in fulfillment
of a requested service. Felipe says he read the privacy notice but that it was long and
complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally
vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative
to create sample customized banner advertisements for customers like Felipe. Brady is
happy to provide a link to the example banner ads, now posted on the Hermes Designs
webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation
by him is being used within a graphic collage on Brady Box’s home webpage. The
quotation is attributed to Serge by first and last name. Brady, however, was not worried
about any sort of litigation. He wrote back to Serge to let him know that he found the
quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had
posted the quotation. In his response, Brady did offer to remove the quotation as a
courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements
his income through online behavioral advertising (OBA) via a third-party ad network with
whom he has set clearly defined roles. Brady is pleased that, although some customers are
not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on the scenario, what is the main reason that Brady should be concerned with
Hermes Designs’ handling of customer personal data?


A.

The data is sensitive.


B.

The data is uncategorized.


C.

The data is being used for a new purpose.

 


D.

The data is being processed via a new means.





D.
  

The data is being processed via a new means.



Which of the following is NOT considered a fair processing practice in relation to the transparency principle?


A.

Providing a multi-layered privacy notice, in a website environment.


B.

Providing a QR code linking to more detailed privacy notice, in a CCTV sign.


C.

Providing a hyperlink to the organization’s home page, in a hard copy application form.


D.

Providing a “just-in-time” contextual pop-up privacy notice, in an online application from
field.





A.
  

Providing a multi-layered privacy notice, in a website environment.



Which type of personal data does the GDPR define as a “special category” of personal
data?


A.

Educational history.


B.

Trade-union membership.


C.

Closed Circuit Television (CCTV) footage.


D.

Financial information.





B.
  

Trade-union membership.



Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-
data-protection- regulation-gdpr/lawful-basis-for-processing/special-categorydata/#:~:
text=The-GDPR-defines%
20special-category-data-as%3A&text=personal-data-revealing-trade
-union,used% 20for-identification-purposes)%3B

An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation
or other processing of an individual’s personal data.
Which of the following best explain why this practice would NOT be subject to the GDPR?


A.

Bdy temperature is not considered personal data.


B.

The practice does not involve completion by automated means.


C.

Body temperature is considered pseudonymous data.


D.

The practice is for the purpose of alleviating extreme risks to public health





B.
  

The practice does not involve completion by automated means.



Under Article 30 of the GDPR, controllers are required to keep records of all of the
following EXCEPT?


A.

Incidents of personal data breaches, whether disclosed or not.


B.

Data inventory or data mapping exercises that have been conducted.


C.

Categories of recipients to whom the personal data have been disclosed.


D.

Retention periods for erasure and deletion of categories of personal data.





D.
  

Retention periods for erasure and deletion of categories of personal data.



Explanation: Section: (none)
Explanation
Reference: https://medium.com/golden-data/what-records-must-controllers-andprocessors-
keep-to-comply- with-eu-data-protection-law-3e8bac177695

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?


A.

Both govern international transfers of personal data


B.

Both govern the manual processing of personal data


C.

Both only apply to European Union countries


D.

Both require notification of processing activities to a supervisory authority





D.
  

Both require notification of processing activities to a supervisory authority



A company is located in a country NOT considered by the European Union (EU) to have an
adequate level of data protection. Which of the following is an obligation of the company if it
imports personal data from another
organization in the European Economic Area (EEA) under standard contractual clauses?


A.

Submit the contract to its own government authority.


B.

Ensure that notice is given to and consent is obtained from data subjects.


C.

Supply any information requested by a data protection authority (DPA) within 30 days.


D.

Ensure that local laws do not impede the company from meeting its contractual
obligations.





A.
  

Submit the contract to its own government authority.




Page 3 out of 21 Pages
Previous