A mobile device application that uses cookies will be subject to the consent requirement of which of the following?
A. The ePrivacy Directive
B. The E-Commerce Directive
C. The Data Retention Directive
D. The EU Cybersecurity Directive
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?
A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
B. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
C. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts.
Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can
later beredeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike's data access request?
A. The request is to obtain access and correct inaccurate personal data in his profile.
B. The request is to obtain access and information about the purpose of processing his personal data.
C. The request is to obtain access and erasure of his personal data while keeping his rewards membership.
D. The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.
An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual's personal data. Which of the following best explain why this practice would NOT be subject to the GDPR?
A. Body temperature is not considered personal data.
B. The practice does not involve completion by automated means.
C. Body temperature is considered pseudonymous data.
D. The practice is for the purpose of alleviating extreme risks to public health.
In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?
A. The predicted consequences of the breach.
B. The measures being taken to address the breach.
C. The type of security safeguards used to protect the data.
D. The contact details of the appropriate data protection officer.
SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities."
What must the contract between WonderKids and the hosting service provider contain?
A. The requirement to implement technical and organizational measures to protect the data.
B. Controller-to-controller model contract clauses.
C. Audit rights for the data subjects.
D. A non-disclosure agreement.
To which of the following parties does the territorial scope of the GDPR NOT apply?
A. All member countries of the European Economic Area.
B. All member countries party to the Treaty of Lisbon.
C. All member countries party to the Paris Agreement.
D. All member countries of the European Union.
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
A. To create and maintain records of processing activities.
B. To conduct Privacy Impact Assessments on behalf of the controller or processor.
C. To monitor compliance with other local or European data protection provisions.
D. To create procedures for notification of personal data breaches to competent supervisory authorities.
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market,
T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through
the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany
Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first
campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T-Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career
investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
What is the best option for the lead regulator when responding to the Spanish supervisory authority's notice that it plans to take action regarding Sofia's complaint?
A. Accept, because it did not receive any complaints.
B. Accept, because GDPR permits non-lead authorities to take action for such complaints.
C. Reject, because Right Target's processing was conducted throughout Europe.
D. Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.
The European Parliament jointly exercises legislative and budgetary functions with which of the following?
A. The European Commission.
B. The Article 29 Working Party.
C. The Council of the European Union.
D. The European Data Protection Board.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.