2022 Valid CIPP-E test answers & IAPP Exam PDF [Q88-Q105]

Rate this post

2022 Valid CIPP-E test answers & IAPP Exam PDF

Free IAPP CIPP-E Exam Questions and Answer from Training Expert Real4dumps

What ways to study the IAPP Exam

There are two main types of resources for preparation of certification exams first there are the study guides and the books that are detailed and suitable for building knowledge from the ground up then there are video tutorial and lectures that can somehow ease the pain of through study and are comparatively less boring for some candidates yet these demand time and concentration from the learner. Smart Candidates who want to build a solid foundation in all exam topics and related technologies usually combine video lectures with study guides to reap the benefits of both but there is one crucial preparation tool as often overlooked by most candidates the practice exams. Practice exams are built to make students comfortable with the real exam environment. Statistics have shown that most students fail not due to that preparation but due to exam anxiety the fear of the unknown. Real4dumps expert team recommends you prepare some notes on these topics along with it don’t forget to practice IAPP CIPP/E Exam exam dumps which been written by our expert team, Both these will help you a lot to clear this exam with good marks.

NO.88 Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

If the processing is to be performed by a third-party vendor

If the processing involves data that is considered personal data

If the processing of the data is done through automated means

If the processing is used to predict the behavior of data subjects

NO.89 According to the GDPR, how is pseudonymous personal data defined?

Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.

Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Data that has been encrypted or is subject to other technical safeguards.

NO.90 Company X has entrusted the processing of their payroll data to Provider Y.
Provider Y stores this encrypted data in its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

The public

Company X

Law enforcement

The supervisory authority

NO.91 In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?

A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.

A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.

A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.

A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.

NO.92 According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?

Where the technology supporting the website is located

Where the website is accessed

Where the decisions about processing are made

Where the customer’s Internet service provider is located

NO.93

She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company

This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

Hiring companies whose measures are consistent with recommendations of accrediting bodies.

Requesting advice and technical support from Company A’s IT team.

Avoiding the use of another company’s data to improve their own services.

Vetting companies’ measures with the appropriate supervisory authority.

NO.94 Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

Within 40 days of receipt

Within 40 days of receipt, which may be extended by up to 40 additional days

Within one month of receipt, which may be extended by up to an additional month

Within one month of receipt, which may be extended by an additional two months

NO.95 SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

The data subjects are no longer current students of Frank’s

The processing will not negatively affect the rights of the data subjects

The algorithms that Frank uses for the processing are technologically sound

The data subjects gave their unambiguous consent for the original processing

NO.96 To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?

Compliant with the security principle, because the data base is password-protected.

Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.

Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.

Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.

NO.97 What are the obligations of a processor that engages a sub-processor?

The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.

The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.

The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.

The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

NO.98 Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b), what is the impact of a member state’s interpretation of the word “incompatible”?

It dictates the level of security a processor must follow when using and storing personal data for two different purposes.

It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.

It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

NO.99 SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.
To ensure GDPR compliance, what should be the company’s position on the issue of consent?

The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.

Written authorization attesting to the responsible use of children’s data would need to be obtained from the supervisory authority.

Consent for data collection is implied through the parent’s purchase of the action figure for the child.

Parental consent for a child’s use of the action figures would have to be obtained before any data could be collected.

NO.100 An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organisation charge the data subject for processing the request?

Only where the organisation can show that it is reasonable to do so because more than one request was made.

Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.

Only where the administrative costs of taking the action requested exceeds a certain threshold.

Only if the organisation can demonstrate that the request is clearly excessive or misguided.

NO.101 What is true if an employee makes an access request to his employer for any personal data held about him?

The employer can automatically decline the request if it contains personal data about a third person.

The employer can decline the request if the information is only held electronically.

The employer must supply all the information held about the employee.

The employer must supply any information held about an employee unless an exemption applies.

NO.102 SCENARIO
Please use the following to answer the next question:
Outliers Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Jonathan, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company ZenFiTech, hoping that they can design a new, cutting-edge website for Outliers Inc.’s foundering business.
During negotiations, a ZenFiTech representative describes a plan for gathering more customer information through detailed questionnaires, which could be used to tailor their preferences to specific travel destinations. Outliers Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Jonathan loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the questionnaires will require customers to provide explicit consent to having their data collected. The ZenFiTech representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the Outliers Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which ZenFiTech will analyze by means of a special program. Outliers Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Jonathan enthusiastically engages ZenFiTech for these services.
If Outliers Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

The resulting obligation to notify data subjects would involve disproportionate effort.

The incident resulted from the actions of a third-party that were beyond their control.

The destruction of the stolen data makes any risk to the affected data subjects unlikely.

The sensitivity of the categories of data involved in the incident was not substantial enough.

NO.103 In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

When creating an untargeted pop-up ad on a website.

When calling a potential customer to notify her of an upcoming product sale.

When emailing a customer to announce that his recent order should arrive earlier than expected.

When paying a search engine company to give prominence to certain products and services within specific search results.

NO.104 When is data sharing agreement MOST likely to be needed?

When anonymized data is being shared.

When personal data is being shared between commercial organizations acting as joint data controllers.

When personal data is being proactively shared by a controller to support a police investigation.

When personal data is being shared with a public authority with powers to require the personal data to be disclosed.

NO.105 Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

Court of Auditors

Court of Justice of European Union

European Court of Human Rights

European Data Protection Board

You can read the IAPP CIPP/E Exam certified salary below

The Average Salary of an IAPP CIPP/E Exam in

United State – 122,750 USD
Europe – 104162 EURO
England – 94029 POUND
India – 9206648 INR

Top IAPP CIPP-E Courses Online: https://www.real4dumps.com/CIPP-E_examcollection.html

2022 Valid CIPP-E test answers & IAPP Exam PDF [Q88-Q105]

What ways to study the IAPP Exam

You can read the IAPP CIPP/E Exam certified salary below

Leave a Reply Cancel reply

Related Posts

[2023] Use Valid Exam CIPP-C by Real4dumps Books For Free Website [Q75-Q98]