In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?
A. Approved data controllers.
B. The Council of the European Union.
C. National data protection authorities.
D. The European Data Protection Supervisor.
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?
A. Both govern international transfers of personal data
B. Both govern the manual processing of personal data
C. Both only apply to European Union countries
D. Both require notification of processing activities to a supervisory authority
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed tohighlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts. Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?
A. She was not told which controller would be processing her personal data.
B. She only viewed the visual representations of the privacy notice Liem provided.
C. She did not read the privacy notice stating that her personal data would be shared.
D. She has never made any purchases from JaphSoft and has no relationship with the company.
An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?
A. Only where the organization can show that it is reasonable to do so because more than one request was made.
B. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
C. Only where the administrative costs of taking the action requested exceeds a certain threshold.
D. Only if the organization can demonstrate that the request is clearly excessive or misguided.
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?
A. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
B. The name/s of relevant government agencies involved and the steps needed for revising the data.
C. The identity and contact details of the controller and the reasons the data is being collected.
D. The contact information of the controller and a description of the retention policy.
The European Data Protection Board (EDPB) recommends measures to supplement transfer tools, in order to ensure compliance with the European Union (EU) level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based upon an adequacy decision?
A. Adopt a supplementary data transfer mechanism.
B. Monitor the ongoing validity of the data transfer mechanism.
C. Adopt technical, contractual or organizational supplementary measures.
D. Monitor changes in the law or practice of the third country that would tower the level of protection of personal data
According to the GDPR. Article 4(14). biometric data is defined as:
"Personal data resulting from specific technical processing relating to the______charactenstics of a natural person"
Which term could NOT be placed in the above definition?
A. Psychological.
B. Physical.
C. Intellectual.
D. Behavioral
SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a
dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring
compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared
with the national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While
providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.
The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central
database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The
assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.
All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data
is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is
required by the company. There is no data processing agreement between AWS and the company.
Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?
A. The terms of service shall also enumerate all applicable anti-money laundering few.
B. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.
C. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.
D. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.
SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U's forms?
A. Make all the fields optional.
B. Only request the information in brackets (i.e., age group and salary range).
C. Eliminate the fields, as they are not proportional to the services being offered.
D. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.
What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?
A. IT did not account for the rapid growth of the Internet
B. It did not include protections for sensitive personal data
C. It was implemented in a fragmented manner by a small number of states.
D. Its penalties for violations of data protection rights were widely viewed as r sufficient.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.