What is the primary purpose of Convention 108+, which amends the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data?
A. To issue updated guidelines for data transfers from the EU to third-country signatories to the Convention.
B. To modify the process for third countries to obtain an adequacy decision from the European Commission.
C. To strengthen data protection in line with the European and international regulatory framework.
D. To establish new data subject rights and safeguards for consumers in the EU member states.
SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared with the national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.
The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.
All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is required by the company. There is no data processing agreement between AWS and the company.
Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR?
A. No, the assessors do not qualify as data processors as they only have access to encrypted data.
B. No, the assessors do not qualify as data processors as they do not copy the data to their facilities.
C. Yes, the assessors are considered to be joint data controllers and must sign a mutual data processing agreement.
D. Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.
SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a
dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring
compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared
with the national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While
providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.
The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central
database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The
assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.
All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data
is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is
required by the company. There is no data processing agreement between AWS and the company.
Should Jane modify the required GDPR rights waiver for non-European residents?
A. Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.
B. Yes, this clause must be entirely removed as all customers, regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.
C. No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.
D. No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.
Sanctions for non-compliance with the EU Artificial Intelligence Act (AI Act) could result in a maximum fine of?
A. The higher of up to 10 million Euro or up to 2% of the entity's total worldwide turnover for the preceding financial year.
B. The higher of up to 40 million Euro or up to 8% of the entity's total worldwide turnover for the preceding financial year.
C. The higher of up to 20 million Euro or up to 4% of the entity's total worldwide turnover for the preceding financial year.
D. The higher of up to 30 million Euro or up to 6% of the entity's total worldwide turnover for the preceding financial year.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources
office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
1.
Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
2.
Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
3.
Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival
costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
1.
The lack of any privacy notice in the separate photocall area
2.
The unlawful cross-border processing of his personal data
3.
The unacceptable aesthetic outcome of his photos
Which of the following is NOT necessarily considered a factor in identifying whether the processing could be considered a "cross-border processing"?
A. The total number of the data subjects interested.
B. The potential harm for the data subjects affected.
C. The limitation of rights of the data subjects concerned.
D. The exposure of the information of the data subjects involved.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources
office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
1.
Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
2.
Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
3.
Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival
costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
1.
The lack of any privacy notice in the separate photocall area
2.
The unlawful cross-border processing of his personal data
3.
The unacceptable aesthetic outcome of his photos
Which of the following principles has likely been violated in the processing of the photocall photos containing personal data?
A. Adequacy.
B. Lawfulness.
C. Transparency.
D. Data minimization.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources
office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
1.
Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
2.
Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
3.
Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival
costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
1.
The lack of any privacy notice in the separate photocall area
2.
The unlawful cross-border processing of his personal data
3.
The unacceptable aesthetic outcome of his photos
Why would consent NOT be considered an adequate legal basis for accessing the party zone?
A. The consent is not completely unambiguous.
B. The consent is not sufficiently informed.
C. The consent is not freely given.
D. The consent is not in writing.
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources
office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
1.
Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
2.
Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
3.
Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival
costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
1.
The lack of any privacy notice in the separate photocall area
2.
The unlawful cross-border processing of his personal data
3.
The unacceptable aesthetic outcome of his photos
Assuming that there is a cross-border processing of personal data, which of the following criteria would NOT be useful to the lead supervisory authority responsible for the Greek employee's complaint when trying to determine the location of the controller's main establishment?
A. Where the controller is registered as a company.
B. Where the processor is registered as a company.
C. Where decisions about the processing activities are made.
D. Where the director with responsibility for processing activities is located.
As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his name, and has used the email address registered in your system.
What would be the most appropriate way to confirm the identity of the customer?
A. Request that the customer provide his bank account number.
B. Request that the customer answer additional security questions.
C. Request a copy of the customer's last bank account statement.
D. Request a copy of the customer's government-issued ID document.
According to Art. 23 GDPR, which of the following data subject rights can NOT be restricted?
A. Right to restriction of processing.
B. Right to erasure ("Right to be forgotten").
C. Right to lodge a complaint with a supervisory authority.
D. Right not to be subject to automated individual decision-making.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.