In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?
A. If the cookies do not track personal data, then pre-checked boxes are acceptable.
B. If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.
C. If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
D. If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app
and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user
consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already
have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with
your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third-party without a
customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you
first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can
unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. [...]
2.Applicable law. [...]
3.Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of
any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company
may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
What is one potential problem Vigotron's age policy might encounter under the GDPR?
A. Age restrictions are more stringent when health data is involved.
B. Users are only required to be aged 13 or over to be considered adults.
C. Organizations must make reasonable efforts to verify parental consent.
D. Organizations that tie a service to marketing must seek consent for each purpose.
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?
A. A company wants to combine location data with other data in order to offer more personalized service for the customer.
B. A company wants to use location data to infer information on a person's clothes purchasing habits.
C. A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
D. A company wants to use location data to track delivery trucks in order to make the routes more efficient.
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removedthe document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third-party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box' Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?
A. The lack of the option to opt in.
B. The level of security within the website.
C. The contract with the third-party advertising network.
D. The need to have the contents of the advertising approved.
A U.S. company's website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?
A. The widgets are offered in EU and priced in euro.
B. The website is in English and French, and is accessible in France.
C. An affiliate office is located in France but the processing is in the U.S.
D. The website places cookies to monitor the EU website user behavior.
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
A. The European Commission can adopt an adequacy decision for individual companies.
B. The European Commission can adopt, repeal or amend an existing adequacy decision.
C. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
For which of the following operations would an employer most likely be justified in requesting the data subject's consent?
A. Posting an employee's bicycle race photo on the company's social media.
B. Processing an employee's health certificate in order to provide sick leave.
C. Operating a CCTV system on company premises.
D. Assessing a potential employee's job application.
SCENARIO Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a
dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring
compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared
with the national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While
providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.
The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central
database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The
assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.
All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data
is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is
required by the company. There is no data processing agreement between AWS and the company.
Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR?
A. No, the assessors do not quality as data processors as they only have access to encrypted data.
B. No. the assessors do not quality as data processors as they do not copy the data to their facilities.
C. Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.
D. Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.
What is true if an employee makes an access request to his employer for any personal data held about him?
A. The employer can automatically decline the request if it contains personal data about a third person.
B. The employer can decline the request if the information is only held electronically.
C. The employer must supply all the information held about the employee.
D. The employer must supply any information held about an employee unless an exemption applies.
Which of the following is the weakest lawful basis for processing employee personal data?
A. Processing based on fulfilling an employment contract.
B. Processing based on employee consent.
C. Processing based on legitimate interests.
D. Processing based on legal obligation.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.