SCENARIO
Please use the following to answer the next question:
CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.
CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age,
profession, and the full names of any other adult members of his or her family.
With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR. The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy
rates.
To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-ofthe-art encrypting tools, but once in Uruguay was stored without any encryption method. In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite
the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the two companies.
If the data on the Uruguay company's servers had been encrypted, what kind of security measure would this be considered?
A. A remediation security measure.
B. A prevention security measure.
C. A corrective security measure.
D. A detection security measure.
SCENARIO
Please use the following to answer the next question:
CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.
CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age,
profession, and the full names of any other adult members of his or her family.
With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR. The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy
rates.
To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-ofthe-art encrypting tools, but once in Uruguay was stored without any encryption method. In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite
the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the two companies.
The content of the email that CreditPlaya sends does not comply with GDPR requirements because it lacks what?
A. The list of information with regard to personal data that were not obtained from the data subject, according to Article 14.
B. The list of the processors and subprocessors involved in the processing, as required by Article 28.
C. The list of processing activities as set out in the records of processing activities, according to Article 30.
D. The list of technical and organizational measures that will be implemented, according to Article 32.
SCENARIO
Please use the following to answer the next question:
CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.
CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age,
profession, and the full names of any other adult members of his or her family.
With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR. The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy
rates.
To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-ofthe-art encrypting tools, but once in Uruguay was stored without any encryption method. In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite
the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the
two companies.
The refinement of the CreditPlaya Information Tracking System (ITS) is a processing activity that should be?
A. Explained in the privacy notice, with a list of the special categories of applicants' data.
B. Specified in the Terms and Conditions document sent to applicants.
C. Capable of allowing applicants to exercise their Right to Object.
D. Subject to the explicit consent of the applicants.
The Planet 49 decision clarified all of the following issues regarding cookies EXCEPT?
A. Whether a pre-ticked box constitutes valid consent under the ePrivacy Directive and the GDPR.
B. Whether consent may be bundled to cover a number of activities or purposes at the same time.
C. Whether is it necessary to provide information about the duration of cookies and any third-party cookies.
D. Whether users may be forced to provide their consent as a condition for benefiting from goods or services being offered.
Pursuant to Article 17 and EDPB Guidelines 5/2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?
A. The personal data has been collected in relation to the offer of information society services (ISS) to a child.
B. The data subject withdraws consent and there is no other legal basis for the processing.
C. The personal data is no longer necessary in relation to the search engine provider's processing.
D. The processing is necessary for exercising the right of freedom of expression and information.
Article 58 of the GDPR describes the powers of supervisory authorities. Which of the following is NOT among those granted?
A. Legislative powers.
B. Corrective powers.
C. Investigatory powers.
D. Authorization and advisory powers.
Which of the following statements is inconsistent with the EDPB's position on qualifying a given processing as a “transfer” under Chapter V of the GDPR?
A. Transfers subject to the GDPR can only occur when two separate parties – each of them a controller, joint controller or processor – are involved.
B. Transfers subject to the GDPR may involve data disclosures between entities belonging to the same corporate group (intra-group data disclosures).
C. Transfers subject to the GDPR may involve remote access of personal data from a third country during a business trip of an employee of the controller for the given processing.
D. Transfers in which a controller or processor makes personal data available to another controller, joint controller, or processor needs to be subject to the GDPR for the given processing.
To comply with the GDPR and the EU Court of Justice's decision in Schrems II, the European Commission issued what are commonly referred to as the new standard contractual clauses (SCCs). As a result, businesses must do all of the following EXCEPT?
A. Consider the new optional docking clause, which expressly permits adding new parties to the SCCs.
B. Migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022.
C. Take steps to flow down the new SCCs to relevant parts of their supply chain using the new SCCs as of September 27, 2021, if the business is a data importer.
D. Implement the new SCCs in the U.K. following Brexit, as the U.K. Information Commissioner's Office does not have the authority to publish its own set of SCCs.
The EDPB's Guidelines 8/2020 on the Targeting of Social Media Users stipulates that in order to rely on legitimate interest as a legal basis to process personal data, three tests must be passed. Which of the following is NOT one of the three tests?
A. Purpose test.
B. Necessity test.
C. Balancing test.
D. Adequacy test.
The GDPR's list of processor obligations regarding cloud computing includes all of the following EXCEPT?
A. Controllers must be given notice of any subprocessors and have a right of objection.
B. Individuals authorized to process the personal data are subject to an obligation of confidentiality.
C. Any personal data related to data subjects must be securely maintained for a maximum of ten years.
D. Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.