According to Art. 23 GDPR, which of the following data subject rights can NOT be restricted?
A. Right to restriction of processing.If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?
A. The individuals are European citizens or residents.SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to
you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities."
What additional information must Wonderkids provide in their Privacy Statement?
A. How often promotional emails will be sent.According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?
A. Where the technology supporting the website is locatedUnder what circumstances might the "soft opt-in" rule apply in relation to direct marketing?
A. When an individual has not consented to the marketing.SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO, Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage's global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments. The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized in New Delhi. Unable to reach Ruth's family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR, provided information to the doctors based on accommodation requests Ruth made when she started at ProStorage.
In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and on boarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both vendors, she determined that InstaHR satisfied more of the requirements as it boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance. a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-loend encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it
receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data. Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?
A. HRYourWay was ultimately not selectedWhen does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?
A. After a personal data breach.When would a data subject NOT be able to exercise the right to portability?
A. When the processing is necessary to perform a task in the exercise of authority vested in the controller.SCENARIO Please use the following to answer the next question:
Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity
of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of
customer service when sales people are interacting with customers.
Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye s software provides powerful remote-monitoring capabilities, including 24/7
access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The
monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use
a built-in verification technology involving facial recognition each time they log in.
All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.
Based on the scenario, what are the primary privacy risks of the planned surveillance system?
A. A Chinese vendor and the monitoring of EU-based employees.Why is advisable to avoid consent as a legal basis for an employer to process employee data?
A. Employee data can only be processed if there is an approval from the data protection officer.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.