CIPP-E Exam Questions

Total 206 Questions

Last Updated Exam : 16-Dec-2024

To provide evidence of GDPR compliance, a company performs an internal audit. As a
result, it finds a data base, password-protected, listing all the social network followers of the
client.
Regarding the domain of the controller-processor relationships, how is this situation
considered?


A.

Compliant with the security principle, because the data base is password-protected.


B.

Non-compliant, because the storage of the data exceeds the tasks contractually
authorized by the controller.


C.

Not applicable, because the data base is password protected, and therefore is not at risk
of identifying any data subject.


D.

Compliant with the storage limitation principle, so long as the internal auditor
permanently deletes the data base.





B.
  

Non-compliant, because the storage of the data exceeds the tasks contractually
authorized by the controller.




A.

All employees are subject to the rules in their entirety, regardless of where the work is taking place.


B.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.


C.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.


D.

Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement





C.
  

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.



Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it
wants to market on its website as a free download. Vigotron’s marketing manager asks his
assistant Emily to create a webpage that describes the app and specifies the terms of use.
Emily, who is new at Vigotron, is excited about this task. At her previous job she took a
data protection class, and though the details are a little hazy, she recognizes that Vigotron
is going to need to obtain user consent for use of the app in some cases. Emily sketches
out the following draft, trying to cover as much as possible before sending it to Vigotron’s
legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related
activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone
settings (along with other third-party apps you may already have) to collect data about all of
these important lifestyle elements, and provide the information necessary for you to enrich
your quality of life. (Please click here to read a full description of the services that M-Health
provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is
stored in it, and which apps can access your data. When your device is locked with a
passcode, all of your health and fitness data is encrypted with your passcode. You can
back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more
about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app.
Furthermore, we will not provide a customer’s name, email address or any other
information gathered from the app to any third- party without a customer’s consent, unless
ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or
protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it,
we ask that you
first complete this registration form. (Please note that use of the M-Health app is restricted
to adults aged 16 or older, unless parental consent has been given to minors intending to
use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think
may be of interest to you, please include your physical address. If you decide later that you
do not wish to receive these newsletters, you can unsubscribe by sending an email to
unsubscribe@vigotron.com or send a letter with your request to the address listed at the
bottom of this page.
Terms and Conditions
1.Jurisdiction. […]
2.Applicable law. […]
3.Limitation of liability. […]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and
that you consent to the processing of your personal data by Vigotron for the purpose of
using the M-Health app. Although you are entitled to opt out of any advertising or
marketing, you agree that Vigotron may contact you or provide you with any required
notices, agreements, or other information concerning the services by email or other
electronic means. You also agree that the Company may send automated emails with
alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point
out as the biggest problem with Emily’s consent provision?


A.

It is not legal to include fields requiring information regarding health status without consent.


B.

Processing health data requires explicit consent, but the form does not ask for explicit consent.


C.

Direct marketing requires explicit consent, whereas the registration form only provides for a right to object


D.

The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.





C.
  

Direct marketing requires explicit consent, whereas the registration form only provides for a right to object



Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last
few years. Their new manager, Oliver, suspects that this is partly due to the company’s
outdated website. After doing some research, he meets with a sales representative from
the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge
website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more
customer information through detailed Questionaires, which could be used to tailor their
preferences to specific travel destinations. TripBliss Inc. can choose any number of data
categories – age, income, ethnicity – that would help them best accomplish their goals.
Oliver loves this idea, but would also like to have some way of gauging how successful this
approach is, especially since the Questionaires will require customers to provide explicit
consent to having their data collected. The Techiva representative suggests that they also
run a program to analyze the new website’s traffic, in order to get a better understanding of
how customers are using it. He explains his plan to place a number of cookies on customer
devices. The cookies will allow the company to collect IP addresses and other information,
such as the sites from which the customers came, how much time they spend on the
TripBliss Inc. website, and which pages on the site they visit. All of this information will be
compiled in log files, which Techiva will analyze by means of a special program. TripBliss
Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness.
Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon
Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s
website, and can authorize access to the log files gathered from it. Unfortunately for
TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction
with Techiva is at a high point. In order to take revenge for what he feels has been unfair
treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for
help. Together they come up with the following plan: Fred will hack into Techiva’s system
and copy their log files onto a USB stick. Despite his initial intention to send the USB to the
press and to the data protection authority in order to denounce Techiva, Leon experiences
a crisis of conscience and ends up reconsidering his plan. He decides instead to securely
wipe all the data from the USB stick and inform his manager that the company’s system of
access control must be reconsidered.
After Leon has informed his manager, what is Techiva’s legal responsibility as a
processor?


A.

They must report it to TripBliss Inc.


B.

They must conduct a full systems audit.


C.

They must report it to the supervisory authority.


D.

They must inform customers who have used the website.





B.
  

They must conduct a full systems audit.



What are the obligations of a processor that engages a sub-processor?


A.

The processor must give the controller prior written notice and perform a preliminary
auditof the sub- processor.


B.

The processor must obtain the controller’s specific written authorization and provide
annual reports on the sub-processor’s performance.


C.

The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.


D.

The processor must obtain the consent of the controller and ensure the sub-processor
complies with data processing obligations that are equivalent to those that apply to the
processor.





C.
  

The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.



D. The processor must obtain the consent of the controller and ensure the sub-processor
complies with data processing obligations that are equivalent to those that apply to the
processor.

Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it
is a multi-billion-dollar candy company operating in every continent. All of the company’s IT
servers are located in Vermont. This year Joe hires his son Ben to join the company and
head up Project Big, which is a major marketing strategy to triple gross revenue in just 5
years. Ben graduated with a PhD in computer software from a top university. Ben decided
to join his father’s company, but is also secretly working on launching a new global online
dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that
many of them might also be interested in finding their perfect match. For Project Big, Ben
redesigns the company’s online web portal and requires customers in the European Union
and elsewhere to provide additional personal information in order to remain a customer.
Project Ben begins collecting data about customers’ philosophical beliefs, political opinions
and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto
a separate database for Ben Knows Best. Ben believes that he is not doing anything
wrong, because he explicitly asks each customer to give their consent by requiring them to
check a box before accepting their information. As Project Big is an important project, the
company also hires a first year college student named Sam, who is studying computer
science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on
going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer
information of people that reside in Ireland so that he and his friends can contact people
when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the
U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she
does some research on it. Alice approaches Joe and informs him that she has drafted up
Binding Corporate Rules for everyone in the company to follow, as it is important for the
company to have in place a legal mechanism to transfer data internally from the company’s
operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge
of handling a major lawsuit that has been brought against the company in federal court in
the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make
copies of the computer hard drives from the entire global sales team, including the
European Union, and send everything to her so that she can review everyone’s
information. Alice believes that Joe will be happy that she did the first level review, as it will
save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company
did not first get approval from?


A.

The Court of Justice of the European Union.


B.

The European Data Protection Board.


C.

The Data Protection Authority.


D.

The European Commission.





C.
  

The Data Protection Authority.



Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?


A.

Personal data revealing ethnic origin.


B.

Personal data revealing genetic data.


C.

Personal data revealing financial data.


D.

Personal data revealing trade union membership.





C.
  

Personal data revealing financial data.



Reference: https://www.privacy-regulation.eu/en/article-9-processing-of-special-categoriesof-
personal-data-
GDPR.htm#:~:text=Processing-of-personal-data-revealing,concerning-a
-natural% 20person%27s-sex

Which of the following is an example of direct marketing that would be subject to European data protection laws?


A.

An updated privacy notice sent to an individual’s personal email address.


B.

A charity fundraising event notice sent to an individual at her business address.


C.

A service outage notification provided to an individual by recorded telephone message.


D.

A revision of contract terms conveyed to an individual by SMS from a marketing





B.
  

A charity fundraising event notice sent to an individual at her business address.



As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?


A.

 of the interests of the data subjects.


B.

Performance of a contact


C.

Legitimate interest


D.

Consent





D.
  

Consent



Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU
member states, but for the purposes of the GDPR maintains its primary establishment in
France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the
border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was
photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the
time, Javier gave his consent to being included in the photograph, since he was told that it
would be used for promotional purposes only. Since then, the photograph has been used in
the club’s U.K. brochures, and it features in the landing page of its U.K. website. However,
the fitness club has recently fallen into disrepute due to widespread mistreatment of
members at various branches of the club in several EU member states. As a result, Javier
no longer feels comfortable with his photograph being publicly associated with the fitness
club.
After numerous failed attempts to book an appointment with the manager of the local
branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image
be removed from the website and all promotional materials. Months pass and Javier,
having received no acknowledgment of his request, becomes very anxious about this
matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory
authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the
GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment)
about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the
CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL
liaises with the ICO, as relevant under the cooperation procedure. In light of issues
amongst the supervisory authorities to reach a decision, the European Data Protection
Board becomes involved and, pursuant to the consistency mechanism, issues a binding
decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to
honor his request to have his photograph removed from the brochure and website.
Assuming that multiple EVETFIT branches across several EU countries are acting as
separate data
controllers, and that each of those branches were responsible for mishandling Javier’s
request, how may Javier proceed in order to seek compensation?


A.

He will have to sue the EVETFIT’s head office in France, where EVETFIT has its main establishment.


B.

He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.


C.

He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.


D.

He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.





A.
  

He will have to sue the EVETFIT’s head office in France, where EVETFIT has its main establishment.




Page 5 out of 21 Pages
Previous