[Q109-Q133] Updated CIPP-E Dumps PDF - CIPP-E Real Valid Brain Dumps With 270 Questions!

Updated CIPP-E Dumps PDF - CIPP-E Real Valid Brain Dumps With 270 Questions!

100% Free CIPP-E Exam Dumps Use Real Certified Information Privacy Professional Dumps

NEW QUESTION # 109
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

• A. The requirements affected individuals without exception.
• B. The requirements had limitations on how national authorities could use data.
• C. The requirements were financially burdensome to EU businesses.
• D. The requirements specified that data must be held within the EU.

Answer: B

Explanation:
Reference:
%20the%20Grand,proportionality%20in%20forging%20the%20Directive.

NEW QUESTION # 110
Which of the following is the weakest lawful basis for processing employee personal data?

• A. Processing based on fulfilling an employment contract.
• B. Processing based on employee consent.
• C. Processing based on legitimate interests.
• D. Processing based on legal obligation.

Answer: B

Explanation:
Reference:
According to the GDPR, consent is one of the six lawful bases for processing personal data, but it is not always the most appropriate one. Consent must be freely given, specific, informed and unambiguous, and the data subject must have the right to withdraw it at any time1. In the context of employment, consent is often not a valid lawful basis, because there is a clear imbalance of power between the employer and the employee, which means that the consent is not freely given2. Moreover, consent can be difficult to manage and document, and it can pose practical problems if the employee withdraws it. Therefore, consent is the weakest lawful basis for processing employee personal data, and employers should rely on other lawful bases, such as contract, legal obligation, vital interests, public task or legitimate interests, depending on the purpose and necessity of the processing3. Reference: 1: Article 4(11) and Article 7 of the GDPR; 2: [EDPB Guidelines], page 6; 3: A Guide to Lawful Basis for Processing Employee Personal Data.

NEW QUESTION # 111
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

• A. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.
• B. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
• C. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
• D. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.

Answer: C

Explanation:
According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the user's device requires the user's consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the user's browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.
Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.
Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.
Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.
Reference:
ePrivacy Directive, Article 5(3)
GDPR, Article 4(11), Article 7, Article 9
CIPP/E Study Guide, Chapter 5, Section 5.2.2

NEW QUESTION # 112
When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

• A. Every three (3) years.
• B. On an ongoing basis.
• C. After a personal data breach.
• D. Every year.

Answer: B

Explanation:
Reference https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

NEW QUESTION # 113
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

• A. Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.
• B. Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.
• C. No, the assessors do not quality as data processors as they only have access to encrypted data.
• D. No. the assessors do not quality as data processors as they do not copy the data to their facilities.

Answer: B

NEW QUESTION # 114
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

• A. When an individual has not consented to the marketing.
• B. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
• C. When an individual's details are obtained from their inquiries about buying a product.
• D. Where an individual's details have been obtained from a bought-in marketing list.

Answer: B

NEW QUESTION # 115
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

• A. The establishment of a list of legitimate data processing criteria
• B. The creation of legally binding data protection principles
• C. The restriction of cross-border data flow
• D. The synchronization of approaches to data protection

Answer: C

NEW QUESTION # 116
What is the key difference between the European Council and the Council of the European Union?

• A. The European Council focuses primarily on issues involving human rights.
• B. The Council of the European Union has a degree of legislative power.
• C. The Council of the European Union is helmed by a president.
• D. The European Council is comprised of the heads of each EU member state.

Answer: D

Explanation:
Section: (none)

NEW QUESTION # 117
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

• A. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.
• B. The terms of service shall also enumerate all applicable anti-money laundering few.
• C. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.
• D. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

Answer: A

Explanation:
According to Article 13 of the GDPR, when personal data are collected from the data subject, the controller shall provide the data subject with certain information, such as the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, and the existence of the data subject's rights. This information shall be provided at the time when personal data are obtained. The purpose of this requirement is to ensure that the data subject is informed and aware of how their personal data will be used and shared, and to enable them to exercise their rights accordingly. Therefore, customers shall receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process. Reference:
Article 13 of the GDPR
IAPP CIPP/E Study Guide, page 32

NEW QUESTION # 118
Which of the following is one of the supervisory authority's investigative powers?

• A. To require that controllers or processors adopt approved data protection certification mechanisms.
• B. To require data controllers to provide them with written notification of all new processing activities.
• C. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
• D. To notify the controller or the processor of an alleged infringement of the GDPR.

Answer: D

Explanation:
According to Article 58 of the GDPR, each supervisory authority has the power to notify the controller or the processor of an alleged infringement of the GDPR as part of its investigative powers. This power allows the supervisory authority to alert the controller or the processor of a possible violation of the GDPR and to initiate further actions if necessary. The notification may also include recommendations or instructions on how to remedy the infringement or prevent further violations. Reference:
Article 58 of the GDPR
European Data Protection Law & Practice textbook, Chapter 9: Supervision and Enforcement, Section 9.2: Supervisory Authorities, Subsection 9.2.2: Powers of Supervisory Authorities

NEW QUESTION # 119
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

• A. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.
• B. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.
• C. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
• D. Liem and EcoMick are joint controllers because they carry out joint marketing activities.

Answer: D

Explanation:
According to the UK GDPR, consent means "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" 1. One of the requirements for consent to be informed is that the data subject should be aware of the identity of the controller who is processing the personal data 2. In this scenario, Ms. Iman only gave consent to Liem to process her personal data for marketing purposes, but she was not informed that JaphSoft, a third-party controller, would also access and process her personal data. Therefore, her consent was not valid in regard to JaphSoft, as she did not know who was processing her personal data and for what purposes. Reference:
UK GDPR Article 4 (11)
UK GDPR Recital 42

NEW QUESTION # 120
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

• A. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
• B. The European Commission can adopt an adequacy decision for individual companies.
• C. The European Commission can adopt, repeal or amend an existing adequacy decision.
• D. EU member states are vested with the power to accept or reject a European Commission adequacy decision.

Answer: B

Explanation:
Reference https://www.futurelearn.com/courses/general-data-protection-regulation/0/steps/32449

NEW QUESTION # 121
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

• A. Personal data revealing financial data.
• B. Personal data revealing trade union membership.
• C. Personal data revealing ethnic origin.
• D. Personal data revealing genetic data.

Answer: A

NEW QUESTION # 122
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

• A. Avoiding the use of another company's data to improve their own services.
• B. Requesting advice and technical support from Company A's IT team.
• C. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
• D. Vetting companies' measures with the appropriate supervisory authority.

Answer: C

NEW QUESTION # 123
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?

• A. AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.
• B. It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.
• C. The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.
• D. The data storage period has to be revised, and a data processing agreement w*h AWS must be signed

Answer: D

NEW QUESTION # 124
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

• A. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
• B. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
• C. When it has been determined that adequate protection can be performed.
• D. Only as a last resort and when interpreted restrictively.

Answer: C

Explanation:
Reference https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf (4)

NEW QUESTION # 125
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

• A. The requirements had limitations on how national authorities could use data.
• B. The requirements were financially burdensome to EU businesses.
• C. The requirements specified that data must be held within the EU.
• D. The requirements affected individuals without exception.

Answer: D

Explanation:
The Data Retention Directive was a EU law that required providers of electronic communications services to retain certain data, such as traffic and location data, for a period of between six months and two years, for the purpose of preventing, investigating, detecting and prosecuting serious crime1. However, in 2014, the Court of Justice of the European Union declared the Directive invalid, because it violated the fundamental rights to respect for private life and to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU2. The Court found that the Directive entailed a wide-ranging and particularly serious interference with those rights, without being limited to what is strictly necessary3. One of the reasons for this finding was that the Directive applied to all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception, thus affecting the entire population of the EU4. The Court also noted that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access, and did not require the data to be retained within the EU5. Reference: 1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC2 Charter of Fundamental Rights of the European Union3 Press release No 54/14 - Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others4 Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Karntner Landesregierung and Others. Requests for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria). Joined cases C-293/12 and C-594/125 Ibid.
Reference:
%20the%20Grand,proportionality%20in%20forging%20the%20Directive.

NEW QUESTION # 126
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
To ensure GDPR compliance, what should be the company's position on the issue of consent?

• A. Consent for data collection is implied through the parent's purchase of the action figure for the child.
• B. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.
• C. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
• D. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.

Answer: B

NEW QUESTION # 127
As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his name, and has used the email address registered in your system.
What would be the most appropriate way to confirm the identity of the customer?

• A. Request a copy of the customer's government-issued ID document.
• B. Request a copy of the customer's last bank account statement.
• C. Request that the customer provide his bank account number.
• D. Request that the customer answer additional security questions.

Answer: D

Explanation:
According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

NEW QUESTION # 128
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

• A. If the cookies do not track personal data, then pre-checked boxes are acceptable.
• B. If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.
• C. If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
• D. If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

Answer: B

NEW QUESTION # 129
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

• A. Jack and the pharmaceutical company are jointly liable.
• B. Jack is liable
• C. Both parties are exempt, as the company is involved in human health research
• D. The pharmaceutical company is liable.

Answer: B

Explanation:
Article 82 of the GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR1. Article 82 (1) states that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered1. Article 82 (2) states that any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR1. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller1. Article 82 (3) states that a controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage1. In this case, Jack is liable for the damage caused by the data breach, as he violated the GDPR by posting the patient's name and health information, along with disparaging comments, on a social media website. This constitutes an infringement of the GDPR, as it violates the principles of lawfulness, fairness, and transparency (Article 5 (1) (a)), purpose limitation (Article 5 (1) (b)), data minimisation (Article 5 (1) ), accuracy (Article 5 (1) (d)), integrity and confidentiality (Article 5 (1) (f)), and the rights of the data subject (Articles 12-23)1. The pharmaceutical company is not liable for the damage caused by the data breach, as it can prove that it is not in any way responsible for the event giving rise to the damage. The company provided privacy training to Jack, informed him of the privacy policy, obtained his consent, and dismissed him as soon as the breach was discovered. Therefore, the company complied with the obligations of the GDPR, such as the accountability principle (Article 5 (2)), the data protection by design and by default principle (Article 25), the security of processing principle (Article 32), and the notification of a personal data breach to the supervisory authority principle (Article 33)1. Therefore, option D is the correct answer. Reference: Art. 82 GDPR - Right to compensation and liability, Article 82 GDPR - GDPRhub

NEW QUESTION # 130
The GDPR forbids the practice of "forum shopping", which occurs when companies do what?

• A. Designate their main establishment in member state with the most flexible practices.
• B. File appeals of infringement judgments with more than one EU institution simultaneously.
• C. Choose the data protection officer that is most sympathetic to their business concerns.
• D. Select third-party processors on the basis of cost rather than quality of privacy protection.

Answer: A

NEW QUESTION # 131
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

• A. The processor will be considered to be a controller in respect of the processing concerned
• B. The controller will be liable to pay an administrative fine
• C. The processor will be liable to pay compensation to affected data subjects
• D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Answer: C

Explanation:
Reference https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/key-definitions/controllers-and-processors/

NEW QUESTION # 132
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia's complaint?

• A. T-Craze conducts its marketing and sales activities in France.
• B. The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.
• C. The French affiliate procured the services of Right Target.
• D. T-Craze has a French affiliate.

Answer: A

Explanation:
According to the CIPP/E study guide, Article 56 of the GDPR establishes the concept of the lead supervisory authority, which is the supervisory authority of the main or single establishment of the data controller or processor in the EU1. The lead supervisory authority has the primary responsibility for dealing with cross-border data processing, in cooperation with other concerned supervisory authorities1. Article 60 of the GDPR requires the lead supervisory authority to cooperate with the other supervisory authorities concerned in an endeavour to reach consensus2. The other supervisory authorities concerned are those that are established in a Member State where the data controller or processor has an establishment or where data subjects are substantially affected or likely to be substantially affected by the processing2. In the scenario, T-Craze is a German-headquartered company that has a French affiliate responsible for all marketing and sales activities. Therefore, the French supervisory authority is the lead supervisory authority for the processing of personal data related to the marketing and sales activities of T-Craze, as it is the supervisory authority of the main establishment of the data controller in the EU. The Spanish supervisory authority is a concerned supervisory authority, as it is the supervisory authority of the Member State where data subjects are likely to be substantially affected by the processing, such as Sofia who filed a complaint. Therefore, the Spanish supervisory authority notifies the French supervisory authority when it opens an investigation into T-Craze based on Sofia's complaint, in order to cooperate with the lead supervisory authority and seek consensus on the action to be taken2. Reference: 1: CIPP/E study guide, page 87; Art. 56 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)2: CIPP/E study guide, page 88; Art. 60 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).

NEW QUESTION # 133
......

Pass Your CIPP-E Exam Easily With 100% Exam Passing Guarantee: https://www.free4torrent.com/CIPP-E-braindumps-torrent.html

CIPP-E Dumps are Available for Instant Access: https://drive.google.com/open?id=15f1ucpxmnn5TMVNU9Ec_RlPyQoqsrCWc