• Home
  • Articles
  • [May-2023] CIPP-E Free Sample Questions to Practice One Year Update [Q120-Q142]

[May-2023] CIPP-E Free Sample Questions to Practice One Year Update [Q120-Q142]

Share

[May-2023] CIPP-E Free Sample Questions to Practice One Year Update

Download CIPP-E exam with IAPP CIPP-E Real Exam Questions

NEW QUESTION # 120
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

  • A. ProStorage can rely on its Binding Corporate Rules
  • B. HRYourWay was ultimately not selected
  • C. ProStorage will obtain consent for all transfers.
  • D. HRYourWay is not located in a third country.

Answer: C


NEW QUESTION # 121
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

  • A. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
  • B. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
  • C. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
  • D. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.

Answer: C


NEW QUESTION # 122
Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?

  • A. Choose the data protection officer that is most sympathetic to their business concerns.
  • B. Select third-party processors on the basis of cost rather than quality of privacy protection.
  • C. Designate their main establishment in member state with the most flexible practices.
  • D. File appeals of infringement judgments with more than one EU institution simultaneously.

Answer: C


NEW QUESTION # 123
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The data subjects are no longer current students of Frank's
  • B. The processing will not negatively affect the rights of the data subjects
  • C. The data subjects gave their unambiguous consent for the original processing
  • D. The algorithms that Frank uses for the processing are technologically sound

Answer: C


NEW QUESTION # 124
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. A pre-checked box stating that the consumer agrees to receive email marketing.
  • B. A notice that the consumer's email address will be used for marketing purposes.
  • C. A prior opt-in consent for consumers unless they are already customers.
  • D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

Answer: C


NEW QUESTION # 125
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

  • A. Information about how providing consent could affect them as employees.
  • B. Information about what is specified in the employment contract.
  • C. Information about who employees should contact with any queries.
  • D. Information about how the measures are in the best interests of the company.

Answer: B


NEW QUESTION # 126
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

  • A. The European Commission
  • B. The Council of the European Union
  • C. The European Council
  • D. The European Parliament

Answer: B


NEW QUESTION # 127
A key component of the OECD Guidelines is the "Individual Participation Principle". What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

  • A. The rights granted to data subjects under Articles 12 to 22
  • B. The breach notification requirements specified in Articles 33 and 34
  • C. The lawful processing criteria stipulated by Articles 6 to 9
  • D. The information requirements set out in Articles 13 and 14

Answer: A


NEW QUESTION # 128
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?

  • A. A potential legal liability and financial exposure from its customers.
  • B. An information security risk by copying the data into a new database.
  • C. A significant risk due to the lack of an informed consent mechanism.
  • D. A significant risk to the customers' fundamental rights and freedoms.

Answer: D


NEW QUESTION # 129
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

  • A. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
  • B. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
  • C. The European Commission can adopt, repeal or amend an existing adequacy decision.
  • D. The European Commission can adopt an adequacy decision for individual companies.

Answer: D

Explanation:
Explanation/Reference: https://www.futurelearn.com/courses/general-data-protection-regulation/0/steps/32449


NEW QUESTION # 130
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.
How should the company respond to Jack's request to be forgotten?

  • A. The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.
  • B. The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.
  • C. The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.
  • D. The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.

Answer: D


NEW QUESTION # 131
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

  • A. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
  • B. The ePrivacy Directive allows individual EU member states to engage in such data retention.
  • C. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
  • D. The Data Retention Directive's annulment makes such data retention now permissible.

Answer: A

Explanation:
Reference https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/440retention-of-traffic-data- dumortier-goemans2f90.pdf (9)


NEW QUESTION # 132
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?

  • A. Not more than one month of receipt of Mike's request.
  • B. When all the information about Mike has been collected.
  • C. Not more than two months after verifying Mike's identity.
  • D. Not more than thirty days after submission of Mike's request.

Answer: D


NEW QUESTION # 133
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box' Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

  • A. The level of security within the website.
  • B. The need to have the contents of the advertising approved.
  • C. The lack of the option to opt in.
  • D. The contract with the third-party advertising network.

Answer: C

Explanation:
Section: (none)
Explanation


NEW QUESTION # 134
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

  • A. Consent
  • B. Legitimate interest
  • C. Performance of a contact
  • D. Protection of the interests of the data subjects.

Answer: A


NEW QUESTION # 135
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

  • A. Binding corporate rules.
  • B. Standard contractual clauses.
  • C. Law enforcement requests.
  • D. Approved certifications.

Answer: D


NEW QUESTION # 136
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

  • A. Submit the contract to its own government authority.
  • B. Supply any information requested by a data protection authority (DPA) within 30 days.
  • C. Ensure that local laws do not impede the company from meeting its contractual obligations.
  • D. Ensure that notice is given to and consent is obtained from data subjects.

Answer: A


NEW QUESTION # 137
Which of the following would require designating a data protection officer?

  • A. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
  • B. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
  • C. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
  • D. Processing is carried out by an organization employing 250 persons or more.

Answer: B


NEW QUESTION # 138
A U.S. company's website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?

  • A. The website is in English and French, and is accessible in France.
  • B. The widgets are offered in EU and priced in euro.
  • C. The website places cookies to monitor the EU website user behavior.
  • D. An affiliate office is located in France but the processing is in the U.S.

Answer: B


NEW QUESTION # 139
SCENARIO
Please use the following to answer the next Question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

  • A. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.
  • B. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
  • C. Louis does not have the right to object to the use of his data because he previously consented to it.
  • D. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.

Answer: B


NEW QUESTION # 140
The transparency principle is most directly related to which of the following rights?

  • A. Right to restriction of processing.
  • B. Right to object
  • C. Right to be informed.
  • D. Right to be forgotten.

Answer: C


NEW QUESTION # 141
Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following?

  • A. Maintain a secure Bring Your Own Device (BYOD) program.
  • B. Institute a GDPR-compliant employee monitoring process.
  • C. Ensure cloud vendors are complying with internal data use policies.
  • D. Pursue a GDPR-compliant Privacy by Design process.

Answer: A


NEW QUESTION # 142
......

Real exam questions are provided for Certified Information Privacy Professional tests, which can make sure you 100% pass: https://www.free4torrent.com/CIPP-E-braindumps-torrent.html

CIPP-E Exam with Guarantee Updated 252 Questions: https://drive.google.com/open?id=1HG0LtBJ8C2jvvygDwUIn0lXCxrn8aPJN

Related Articles

more
IAPP CIPP-E Certification Practice Exam

Contact Us

Our Working Time: ( GMT 0:00-15:00 )   From Monday to Saturday

Contact now

Here you can get the most valid and free IT exam torrent for your upcoming exam test. Our promise is to help you pass the exam successfully, get a higher salary and build a better life.

Copyright © 2026 Free4Torrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy