A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?
A. If obtaining consent is deemed to involve disproportionate effort.
B. If obtaining consent is deemed voluntary by local legislation.
C. If the company limits the footage to data subjects solely of legal age.
D. If the company's status as a documentary provider allows it to claim legitimate interest.
When would a data subject NOT be able to exercise the right to portability?
A. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
B. When the processing is carried out pursuant to a contract with the data subject.
C. When the data was supplied to the controller by the data subject.
D. When the processing is based on consent.
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
A. The controller will be liable to pay an administrative fine
B. The processor will be liable to pay compensation to affected data subjects
C. The processor will be considered to be a controller in respect of the processing concerned
D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). Italso declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
The Customer for Life plan may conflict with which GDPR provision?
A. Article 6, which requires processing to be lawful.
B. Article 7, which requires consent to be as easy to withdraw as it is to give.
C. Article 16, which provides data subjects with a rights to rectification.
D. Article 20, which gives data subjects a right to data portability.
When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?
A. When the data has been pseudonymized.
B. When the data is protected by technological safeguards.
C. When the data serves legitimate interest of third parties.
D. When the data subject has failed to use a provided opt-out mechanism.
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
A. The data subject already has information regarding how his data will be used
B. The provision of such information to the data subject would be too problematic
C. Third-party data would be disclosed by providing such information to the data subject
D. The processing of the data subject's data is protected by appropriate technical measures
The origin of privacy as a fundamental human right can be found in which document?
A. Universal Declaration of Human Rights 1948.
B. European Convention of Human Rights 1953.
C. OECD Guidelines on the Protection of Privacy 1980.
D. Charier of Fundamental Rights of the European Union 2000.
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?
A. Information about what is specified in the employment contract.
B. Information about who employees should contact with any queries.
C. Information about how providing consent could affect them as employees.
D. Information about how the measures are in the best interests of the company.
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?
A. When the data is to be processed for market research.
B. When providing preventive or counselling services to the child.
C. When providing the child with materials purely for educational use.
D. When a legitimate business interest makes obtaining consent impractical.
A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.
Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?
A. Payments cannot be made in a European Union currency.
B. The controller does not have an establishment in the European Union.
C. The website is not available in several official languages of European Un on Member States
D. The website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.