According to the Personal Data Protection Commission's (PDPC) “Guide to basic data anonymization techniques,” recently adopted by the Spanish Data Protection Agency, which of the following is NOT a valid basic anonymization technique?
A. Swapping.
B. Generalization.
C. Data Adjustment.
D. Attribute Suppression.
According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?
A. If the data subject access request was sent to an employee that is not involved in the processing of such requests.
B. If there is such a large amount of data that the controller cannot identify the data subject of the request.
C. If the controller is unable to use end-to-end encrypted emails for responding to such requests.
D. If the personal data was processed in the past but is no longer at the controller's disposal at the time of the request.
Which mechanism, introduced by the GDPR as a means of ensuring both compliance and transparency, allows for the possibility of personal data transfers to third countries under Article 42?
A. Approved certifications.
B. Binding corporate rules.
C. Law enforcement requests.
D. Standard contractual clauses.
SCENARIO Please use the following to answer the next question:
Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity
of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of
customer service when sales people are interacting with customers.
Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye s software provides powerful remote-monitoring capabilities, including 24/7
access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The
monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use
a built-in verification technology involving facial recognition each time they log in.
All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.
Based on the scenario, what are the primary privacy risks of the planned surveillance system?
A. A Chinese vendor and the monitoring of EU-based employees.
B. Facial recognition data stored in the cloud and lack of encryption.
C. Excessive scope of monitoring and lack of legitimate purpose for data collection.
D. Missing E2EE encryption in the monitoring system and unclear data storage duration.
If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?
A. The definition of a central contact point for data subjects.
B. The rules regarding the exercising of data subjects" rights.
C. The rules to provide information to data subjects in Articles 13 and 14.
D. The non-disclosure of the essence of their arrangement to data subjects
Select the answer below that accurately completes the following:
"The right to compensation and liability under the GDPR...
A. ...provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage."
B. ...precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing."
C. ...can only be exercised against the data controller, even if a data processor was involved in the same processing."
D. ...is limited to a maximum amount of EUR 20 million per event of damage or loss."
Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?
A. A natural person in the course of a large-scale but purely personal or household activity.
B. A natural person processing data foe a small-scale, purely personal or household activity.
C. A natural person in the course of processing purely personal or household data on behalf of a spouse who is beyond the age of majority.
D. A natural person in the course of activity conducted purely tor a personally-owned sole proprietorship.
Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?
A. A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
B. A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
C. A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.
D. A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Eachfigure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience. When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated
speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
Why is this company obligated to comply with the GDPR?
A. The company has offices in the EU.
B. The company employs staff in the EU.
C. The company's data center is located in a country outside the EU.
D. The company's products are marketed directly to EU customers.
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name Address Date of Birth Payroll number National Insurance number Sick pay entitlement Maternity/paternity pay entitlement Holiday entitlement Pension and benefits contributions Trade union contributions Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes. Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?
A. Their omission of data protection provisions in their contract with Company C.
B. Their failure to provide sufficient security safeguards to Company A's data.
C. Their engagement of Company C to improve their payroll service.
D. Their decision to operate without a data protection officer.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.