Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?
A. The obligation of companies to declare data breaches.Which of the following is an example of direct marketing that would be subject to European data protection laws?
A. An updated privacy notice sent to an individual's personal email address.SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T-Craze, though with much less success. The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia's complaint?
A. T-Craze has a French affiliate.What are the obligations of a processor that engages a sub-processor?
A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?
A. Both govern international transfers of personal dataPursuant to the EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller EXCEPT?
A. Determining where the controller has its place of central administration in the EEA.SCENARIO
Please use the following to answer the next question:
CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.
CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age,
profession, and the full names of any other adult members of his or her family.
With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR. The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy
rates.
To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-ofthe-art encrypting tools, but once in Uruguay was stored without any encryption method. In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite
the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the
two companies.
The disclosure of personal data to the independent company in Uruguay should be regulated by which of the following?
A. Binding Corporate Rules.Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?
A. Law firm organizations.The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?
A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a
dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring
compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared
with the national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While
providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.
The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central
database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The
assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.
All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data
is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is
required by the company. There is no data processing agreement between AWS and the company.
Should Jane modify the required GDPR rights waiver for non-European residents?
A. Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.