What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
A. The controller will be liable to pay an administrative fineMany businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?
A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?
A. The publicIn which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?
A. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.SCENARIO
Please use the following to answer the next question:
CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.
CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age,
profession, and the full names of any other adult members of his or her family.
With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR. The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy
rates.
To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-ofthe-art encrypting tools, but once in Uruguay was stored without any encryption method. In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite
the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the two companies.
If the data on the Uruguay company's servers had been encrypted, what kind of security measure would this be considered?
A. A remediation security measure.According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?
A. The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.According to the AI Act, a provider of a high-risk AI system has all of the following obligations EXCEPT?
A. Ensuring users understand how the system mitigates bias.What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?
A. They are allowed if determined to be technically necessary.The origin of privacy as a fundamental human right can be found in which document?
A. Universal Declaration of Human Rights 1948.In which of the following situations would an individual most likely to be able to withdraw her consent for processing?
A. When she is leaving her bank and moving to another bank.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.