
2025 New Training Course CIPP-E Tutorial Preparation Guide
Dumps of CIPP-E Cover all the requirements of the Real Exam
NEW QUESTION # 149
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
- A. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
- B. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
- C. The ePrivacy Directive allows individual EU member states to engage in such data retention.
- D. The Data Retention Directive's annulment makes such data retention now permissible.
Answer: A
NEW QUESTION # 150
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
- A. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
- B. The ePrivacy Directive allows individual EU member states to engage in such data retention.
- C. The Data Retention Directive's annulment makes such data retention now permissible.
- D. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
Answer: D
Explanation:
The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12.
One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4.
However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that "Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive". Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12.
The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.
The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .
Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.
Reference:
ePrivacy Directive
ePrivacy Regulation
What is Communications Traffic Data?
How is Communications Traffic Data Retained?
Data Retention Directive
Data Retention Directive annulled by CJEU
General Data Protection Regulation
What are your rights regarding your personal data?
NEW QUESTION # 151
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
- A. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
- B. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
- C. The ePrivacy Directive allows individual EU member states to engage in such data retention.
- D. The Data Retention Directive's annulment makes such data retention now permissible.
Answer: A
Explanation:
Reference https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/440retention-of-traffic-data- dumortier-goemans2f90.pdf (9)
NEW QUESTION # 152
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
In preparing the company for its impending lawsuit, Alice's instruction to the company's IT Department violated Article 5 of the GDPR because the company failed to first do what?
- A. Encrypt the data from all of its employees.
- B. Minimize the amount of data collected for the lawsuit.
- C. Send out consent forms to all of its employees.
- D. Inform all of its employees about the lawsuit.
Answer: B
NEW QUESTION # 153
When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?
- A. When the data has been pseudonymized.
- B. When the data subject has failed to use a provided opt-out mechanism.
- C. When the data is protected by technological safeguards.
- D. When the data serves legitimate interest of third parties.
Answer: D
Explanation:
Section: (none)
Explanation
NEW QUESTION # 154
SCENARIO
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information - name, location, and prior purchase history - with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms.
In which case would Natural Insight's use of BHealthy's data for improvement of its algorithms be considered data processor activity?
- A. If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.
- B. If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities.
- C. If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy.
- D. If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities.
Answer: A
Explanation:
According to the General Data Protection Regulation (GDPR), a data processor is a natural or legal person, agency, public authority, or any other body who processes personal data on behalf of a data controller. A data controller is a natural or legal person, agency, public authority, or any other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. The GDPR imposes specific obligations and responsibilities on both data controllers and data processors, and requires them to enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.
In this scenario, BHealthy is the data controller, as it determines the purpose and means of collecting and sharing its customer information with Natural Insight. Natural Insight is the data processor, as it processes the customer information on behalf of BHealthy for the purpose of determining the price point for BHealthy's new sunscreens. However, Natural Insight also intends to use the customer information for its own purpose of improving its algorithms, which may not be aligned with BHealthy's purpose or instructions. This may constitute a breach of the data processing contract and the GDPR, as the data processor must only process the personal data on documented instructions from the data controller, unless required to do so by EU or member state law (Article 28(3)(a) of the GDPR).
Therefore, the only case in which Natural Insight's use of BHealthy's data for improvement of its algorithms would be considered data processor activity is if Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms. This would mean that BHealthy has given its consent and authorization for Natural Insight to process the data for that specific purpose, and that Natural Insight is acting in accordance with BHealthy's instructions. In this case, Natural Insight would still be bound by the data processing contract and the GDPR, and would have to comply with the other obligations and requirements of a data processor, such as ensuring the security of the data, respecting the conditions for engaging another processor, assisting the data controller in ensuring compliance with the GDPR, and deleting or returning the data to the data controller after the end of the service.
The other options are not valid cases for data processor activity, as they do not involve the data controller's instructions or consent. If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy, it may still be processing the data for a different purpose than the one for which it was collected and shared, and without BHealthy's knowledge or approval. If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities, it may still be violating the data processing contract and the GDPR, as it is not acting on behalf of the data controller, but for its own benefit. If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities, it may still be infringing the data controller's rights and obligations, as it is not the data controller's role to inform the data subjects of the processing activities, and it may not have a lawful basis for processing the data for its own purpose.
Reference:
GDPR
Data Controllers and Processors - GDPR EU
Who does the UK GDPR apply to? | ICO
What Activities Count as Processing Under the GDPR?
What constitutes data processing? - European Commission
NEW QUESTION # 155
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion- dollar candy company operating in every continent. All of the company's IT servers are located in Vermont.
This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone' s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben's collection of additional data from customers created several potential issues for the company, which would most likely require what?
- A. Hiring a data protection officer.
- B. A comprehensive data inventory.
- C. A data protection impact assessment.
- D. New corporate governance and code of conduct.
Answer: C
Explanation:
Ben's collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:
* The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.
* The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.
* The risk of non-compliance with the GDPR's requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions. Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.
* The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company's servers in Vermont, which may not have adequate security measures or safeguards.
Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks. A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3.
The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms. References:
* Free CIPP/E Study Guide, page 32, section 4.1.2
* CIPP/E Certification, page 27, section 4.1.2
* The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2
* Principles - General Data Protection Regulation (GDPR), Article 5
* Special categories of personal data - General Data Protection Regulation (GDPR), Article 9
* Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35
NEW QUESTION # 156
What obligation does a data controller or processor have after appointing a data protection officer?
- A. To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.
- B. To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.
- C. To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.
- D. To ensure that the data protection officer acts as the sole point of contact for individuals' Questions: about their personal data.
Answer: C
Explanation:
According to the UK GDPR, the controller and the processor must support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge1. The controller and the processor must also ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and that he or she reports directly to the highest management level of the controller or the processor1.
NEW QUESTION # 157
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the dat a. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?
- A. Any marketing information at all.
- B. Marketing information related to other business operations of WonderKids.
- C. No marketing information at all.
- D. Marketing information for products or services similar to those purchased from WonderKids.
Answer: D
Explanation:
According to the ePrivacy Directive, which regulates direct electronic marketing in the EU, consent is generally required before sending marketing emails or texts. However, there is an exception known as the 'soft opt-in', which allows marketing emails or texts to be sent on an opt-out basis if the recipient's details were collected "in the context of the sale of a product or a service" and the marketing is for "similar products or services" provided by the same organisation12. Therefore, WonderKids can send direct marketing information by email without prior consent of the person booking the childcare, as long as the information is about similar products or services to those purchased from WonderKids, and the person is given a clear and easy way to opt out of receiving such emails. The other options are not allowed under the ePrivacy Directive, unless the person has given explicit consent to receive them. Reference:
Free CIPP/E Study Guide, page 33, section 4.1.3
CIPP/E Certification, page 28, section 4.1.3
Cipp-e Study guides, Class notes & Summaries, page 39, section 4.1.3
Direct marketing rules and exceptions under the GDPR, paragraph 5
Marketing | ICO, section "What does the 'soft opt-in' mean?"
NEW QUESTION # 158
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?
- A. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
- B. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.
- C. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
- D. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
Answer: A
NEW QUESTION # 159
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.
What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
- A. Ruth's implied consent.
- B. Performance of a contract with Ruth.
- C. Protecting against legal liability from Ruth.
- D. Protecting the vital interest of Ruth
Answer: D
Explanation:
According to Article 49 of the GDPR, transfers of personal data to third countries or international organisations may take place in the absence of an adequacy decision or appropriate safeguards, such as standard contractual clauses or binding corporate rules, only if one of the derogations listed in that article applies1. One of the derogations is when the transfer is necessary for the protection of the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent1. This derogation is intended to cover only urgent situations, such as medical emergencies, where the transfer is essential for the data subject's life or health2.
In this scenario, ProStorage most likely relied on this derogation to transfer Ruth's medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. The transfer was necessary for the protection of Ruth's vital interests, as she was in a critical condition and needed urgent medical care. Ruth was also physically or legally incapable of giving consent, as she was unconscious or incapacitated. Therefore, option B is the correct answer.
Option A is incorrect because Ruth's implied consent is not a valid transfer mechanism under the GDPR. Consent must be explicit, informed, specific, and freely given for the transfer of personal data to third countries or international organisations1. Ruth did not give any explicit consent for the transfer of her medical information to the hospital, nor was she informed or asked about it. Moreover, consent cannot be relied on as a transfer mechanism when the data subject is in a situation of distress or dependence, such as a medical emergency, as it would not be considered freely given2.
Option C is incorrect because the performance of a contract with Ruth is not a valid transfer mechanism under the GDPR. The transfer of personal data to third countries or international organisations on the basis of a contract with the data subject is only allowed if the transfer is necessary for the performance of that contract or for the implementation of pre-contractual measures taken at the data subject's request1. In this scenario, there is no contract between ProStorage and Ruth that requires or justifies the transfer of her medical information to the hospital. The transfer is not necessary for the performance of Ruth's employment contract with ProStorage, nor for any pre-contractual measures taken by Ruth.
Option D is incorrect because the protection against legal liability from Ruth is not a valid transfer mechanism under the GDPR. The transfer of personal data to third countries or international organisations on the grounds of legal claims or defence is only allowed if the transfer is necessary for the establishment, exercise or defence of legal claims1. In this scenario, there is no legal claim or defence involved in the transfer of Ruth's medical information to the hospital. The transfer is not necessary for the establishment, exercise or defence of any legal claim by or against ProStorage or Ruth.
Reference:
Derogations for specific situations
Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
NEW QUESTION # 160
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?
- A. Binding corporate rules.
- B. Standard contractual clauses.
- C. Law enforcement requests.
- D. Approved certifications.
Answer: D
Explanation:
According to Article 42 of the GDPR, the Commission may approve certification mechanisms, seals and marks for the purpose of demonstrating the existence of appropriate safeguards for personal data transfers to third countries or international organisations. These certification mechanisms, seals and marks are voluntary and transparent, and are issued by accredited certification bodies or by the competent supervisory authorities. They are subject to the general provisions on certification in Articles 42 and 43 of the GDPR. They are intended to enhance the trust of data subjects and facilitate the free flow of personal data within the Union and beyond. They are also subject to periodic review and withdrawal or suspension if the conditions for certification are not or are no longer met. Reference:
Article 42 of the GDPR
European Data Protection Law & Practice textbook, Chapter 8: Transfers of Personal Data to Third Countries, Section 8.3: Appropriate Safeguards, Subsection 8.3.4: Certification Mechanisms, Seals and Marks Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
NEW QUESTION # 161
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
- A. To create and maintain records of processing activities.
- B. To create procedures for notification of personal data breaches to competent supervisory authorities.
- C. To monitor compliance with other local or European data protection provisions.
- D. To conduct Privacy Impact Assessments on behalf of the controller or processor.
Answer: C
Explanation:
Reference https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required- gdpr-compliance
NEW QUESTION # 162
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
- A. A voluntary notification for personal data breaches applicable to electronic communication providers.
- B. A voluntary notification for personal data breaches applicable to all data controllers.
- C. A mandatory notification for personal data breaches applicable to all data controllers.
- D. A mandatory notification for personal data breaches applicable to electronic communication providers.
Answer: D
Explanation:
The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers.
According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.
The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. References: e- Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches
NEW QUESTION # 163
Which of the following was the first to implement national law for data protection in 1973?
- A. Germany
- B. United Kingdom
- C. France
- D. Sweden
Answer: D
Explanation:
Reference:
Sweden was the first country to enact a national data protection law in 1973, called the Data Act. It went into effect on 1 July 1974 and required licenses by the Swedish Data Protection Authority for information systems handling personal data. The law was a result of public concern about the use of computers and the potential abuse of personal data by the government and other entities. The law was later superseded by the Personal Data Act in 1998, which implemented the EU Data Protection Directive. Reference: Data Act (Sweden) - Wikipedia, Data Privacy Act: A Brief History of Modern Data Privacy Laws - eperi, Swedish Authority for Privacy Protection - Wikipedia Learn more
1en.wikipedia.org2blog.eperi.c
NEW QUESTION # 164
For which of the following operations would an employer most likely be justified in requesting the data subject's consent?
- A. Posting an employee's bicycle race photo on the company's social media.
- B. Assessing a potential employee's job application.
- C. Operating a CCTV system on company premises.
- D. Processing an employee's health certificate in order to provide sick leave.
Answer: A
NEW QUESTION # 165
How is the GDPR's position on consent MOST likely to affect future app design and implementation?
- A. App developers' responsibilities as data controllers will increase.
- B. App developers will expand the amount of data necessary to collect for an app's functionality.
- C. Users will be given granular types of consent for particular types of processing.
- D. Users will see fewer advertisements when using apps.
Answer: C
NEW QUESTION # 166
......
IAPP CIPP-E certification exam is a globally recognized certification for professionals who specialize in information privacy law and regulation in Europe. CIPP-E exam covers a wide range of topics and is designed to equip professionals with the knowledge and skills necessary to develop and implement effective data protection strategies. The benefits of obtaining the certification are numerous, including enhanced professional credibility and marketability, career advancement, and increased earning potential.
The CIPP/E certification exam covers various topics related to European data protection laws and regulations, including the GDPR's principles, data subjects' rights, data controllers and processors' responsibilities, data protection impact assessments, international data transfers, and enforcement and compliance. CIPP-E exam consists of 90 multiple-choice questions, and candidates have two and a half hours to complete it.
Sample Questions of CIPP-E Dumps With 100% Exam Passing Guarantee: https://www.realvalidexam.com/CIPP-E-real-exam-dumps.html
Correct Practice Tests of CIPP-E Dumps with Practice Exam: https://drive.google.com/open?id=1MkV5pOb5XfZL1YSakz0enb6lftwLQLp-
