Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?
A. The European CouncilSCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts.
Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can
later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?
A. Not more than one month of receipt of Mike's request.SCENARIO Please use the following to answer the next question:
Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity
of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of
customer service when sales people are interacting with customers.
Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye s software provides powerful remote-monitoring capabilities, including 24/7
access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The
monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use
a built-in verification technology involving facial recognition each time they log in.
All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.
Under what condition could the surveillance system be used on the personal devices of employees?
A. Only if the monitoring system is manufactured by a European vendor storing the monitoring data within the EU.In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?
A. When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?
A. Use a layered privacy notice on its website and in its email communications.SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U's forms?
A. Make all the fields optional.A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?
A. If the data protection officer lacks ISO 27001 auditor certification.A key component of the OECD Guidelines is the "Individual Participation Principle". What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?
A. The lawful processing criteria stipulated by Articles 6 to 9SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared with the national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.
The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.
All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is required by the company. There is no data processing agreement between AWS and the company.
Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR?
A. No, the assessors do not qualify as data processors as they only have access to encrypted data.Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?
A. The ability to enact new laws by executive order.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.