• Home
  • Articles
  • 100% Updated IAPP CIPP-E Enterprise PDF Dumps [Q47-Q71]

100% Updated IAPP CIPP-E Enterprise PDF Dumps [Q47-Q71]

Share

100% Updated IAPP CIPP-E Enterprise PDF Dumps

Use Valid Exam CIPP-E by GetValidTest Books For Free Website

NEW QUESTION # 47
SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U's forms?

  • A. Eliminate the fields, as they are not proportional to the services being offered.
  • B. Only request the information in brackets (i.e., age group and salary range).
  • C. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.
  • D. Make all the fields optional.

Answer: C

Explanation:
Sandy should give this feedback to Dan and the marketing team, as it reflects the principle of data minimization, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1. Collecting birth date and salary information from customers who want to download white papers or register for events is not necessary for those purposes, and may pose risks for data protection and security. Moreover, such information may fall under the category of special data, which requires explicit consent from the data subjects and can only be processed under certain conditions2. The other options do not comply with the principle of data minimization, as they still involve collecting more data than needed, even if they are optional or in brackets. Reference:
Free CIPP/E Study Guide, page 23, section 3.1
CIPP/E Certification, page 18, section 3.1
The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1
Principles - General Data Protection Regulation (GDPR), Article 5
Special categories of personal data - General Data Protection Regulation (GDPR), Article 9


NEW QUESTION # 48
According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?

  • A. The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.
  • B. The shop operator should provide the most important information on a clearly readable warning sign to data subjects before they enter the monitored area, and additional mandatory details by other means.
  • C. The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects every time they enter the shop.
  • D. The shop operator should provide full notice of the intended video surveillance outside the shop, for example with a sign or a stand-up display.

Answer: D


NEW QUESTION # 49
In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

  • A. Storing all personal data within the borders of the European Union.
  • B. Adopting a risk-based approach and implementing supplementary measures as needed.
  • C. Obtaining explicit consent from each EU citizen for every individual data transfer.
  • D. Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.

Answer: B


NEW QUESTION # 50
A key component of the OECD Guidelines is the "Individual Participation Principle". What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

  • A. The breach notification requirements specified in Articles 33 and 34
  • B. The information requirements set out in Articles 13 and 14
  • C. The lawful processing criteria stipulated by Articles 6 to 9
  • D. The rights granted to data subjects under Articles 12 to 22

Answer: D

Explanation:
The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many data privacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2.
The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union's (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision-making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.
Therefore, the parts of the GDPR that provide the closest equivalent to the Individual Participation Principle are Articles 12 to 22.
Reference:
OECD Privacy Principles
What are the 7 main principles of GDPR?
Fair Information Practice Principles (FIPPs)
Individual Participation - International Association of Privacy Professionals What is the right to be forgotten? | Right to erasure | Cloudflare General Data Protection Regulation - Wikipedia


NEW QUESTION # 51
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

  • A. When she disagrees with a diagnosis her doctor has recorded on her records.
  • B. When she has recently changed jobs and no longer works for the same company.
  • C. When she no longer wishes to be sent marketing materials from an organization.
  • D. When she is leaving her bank and moving to another bank.

Answer: C

Explanation:
Reference https://gdpr-info.eu/art-7-gdpr/


NEW QUESTION # 52
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

  • A. When a legitimate business interest makes obtaining consent impractical.
  • B. When providing preventive or counselling services to the child.
  • C. When providing the child with materials purely for educational use.
  • D. When the data is to be processed for market research.

Answer: B

Explanation:
Under the GDPR, the processing of personal data of a child on the basis of consent requires the consent of the holder of parental responsibility over the child, unless the child is at least 16 years old or the applicable national law provides for a lower age (not below 13 years). However, there are some situations where the processing of personal data of a child without parental consent may be justified by other lawful grounds, such as the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party. One of these situations is when the processing is necessary for providing preventive or counselling services to the child, especially in the context of information society services. This is recognised by Recital 38 of the GDPR, which states that:
"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child." Therefore, the processing of personal data of a child without parental consent may be lawful if it is necessary for providing preventive or counselling services to the child, such as health, education, social or legal services, that are offered directly to the child and that aim to protect the child's well-being, safety, development or rights. This may include, for example, online counselling platforms, sexual health advice services, anti-bullying or mental health support services, or child protection helplines. In such cases, the controller should ensure that the processing is fair, transparent, proportionate and respectful of the child's best interests, and that appropriate safeguards are in place to protect the child's personal data and rights.
The other options are not likely to justify the processing of personal data of a child without parental consent, as they do not meet the criteria of necessity, proportionality or legitimacy. The processing of personal data of a child for market research purposes is not necessary for the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party, and may pose significant risks to the child's privacy and autonomy. Therefore, such processing requires the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent. The provision of materials purely for educational use to a child may not require the processing of personal data of the child at all, or may only require the processing of minimal personal data, such as the child's name or email address. In such cases, the processing may be based on the consent of the child, if the child is old enough to understand the implications of their consent, or on the legitimate interests of the controller, if the processing is necessary for the provision of the educational materials and does not override the interests or rights of the child. However, the controller should still inform the child and the holder of parental responsibility about the processing and provide them with the opportunity to object or withdraw their consent. The existence of a legitimate business interest does not automatically justify the processing of personal data of a child without parental consent, as the controller must also consider the impact of the processing on the rights and freedoms of the child, and whether the processing is necessary and proportionate for the pursuit of that interest. Moreover, the controller must balance the legitimate business interest against the interests or rights of the child, and ensure that the processing does not cause any harm or disadvantage to the child. If the processing involves the use of personal data of a child for the purposes of marketing or creating personality or user profiles, the controller must obtain the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent, as these purposes pose a high risk to the child's privacy and autonomy. Reference: GDPR Article 6, GDPR Article 8, GDPR Recital 38, Children and the UK GDPR | ICO, Guidelines on consent under Regulation 2016/679 - European Data Protection Board


NEW QUESTION # 53
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

  • A. More information about the algorithm Frank used to mask student numbers.
  • B. More information about the extent of the information loss.
  • C. More information about Frank's data protection training.
  • D. More information about what students have been told and how the research will be used.

Answer: D


NEW QUESTION # 54
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

  • A. Storage Limitation
  • B. Integrity and confidentiality
  • C. Lawfulness, fairness and transparency
  • D. Accuracy

Answer: B


NEW QUESTION # 55
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

  • A. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
  • B. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
  • C. When it has been determined that adequate protection can be performed.
  • D. Only as a last resort and when interpreted restrictively.

Answer: C


NEW QUESTION # 56
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The processing will not negatively affect the rights of the data subjects
  • B. The algorithms that Frank uses for the processing are technologically sound
  • C. The data subjects are no longer current students of Frank's
  • D. The data subjects gave their unambiguous consent for the original processing

Answer: D


NEW QUESTION # 57
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

  • A. Greece
  • B. Norway
  • C. Switzerland
  • D. Australia

Answer: C


NEW QUESTION # 58
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

  • A. Notify the supervisory authority about the loss of availability
  • B. Document the loss of availability to demonstrate accountability
  • C. Conduct a thorough audit of all security systems
  • D. Notify affected individuals that their data was unavailable for a period of time.

Answer: A

Explanation:
Reference https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwihmsidxtTqAhXvQUEAHXRaAdYQFjABegQIARAB& url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm%3Fdoc_id% 3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (5)


NEW QUESTION # 59
Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following?

  • A. Maintain a secure Bring Your Own Device (BYOD) program.
  • B. Pursue a GDPR-compliant Privacy by Design process.
  • C. Ensure cloud vendors are complying with internal data use policies.
  • D. Institute a GDPR-compliant employee monitoring process.

Answer: A


NEW QUESTION # 60
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

  • A. Storage Limitation
  • B. Integrity and confidentiality
  • C. Lawfulness, fairness and transparency
  • D. Accuracy

Answer: B

Explanation:
The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1. This principle is known as integrity and confidentiality, or sometimes as security2. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage. Reference: 1: Article 5(1)(f) of the GDPR 2: A guide to the data protection principles | ICO 3: Encryption | ICO


NEW QUESTION # 61
In relation to third countries and international organizations, which of the following shall, along with the supervisory authorities, take appropriate steps to develop international cooperation mechanisms for the enforcement of data protection legislation?

  • A. The European Parliament
  • B. The designated Data Protection Officers
  • C. The Council of the European Union.
  • D. The European Commission

Answer: B


NEW QUESTION # 62
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

  • A. When she disagrees with a diagnosis her doctor has recorded on her records.
  • B. When she has recently changed jobs and no longer works for the same company.
  • C. When she no longer wishes to be sent marketing materials from an organization.
  • D. When she is leaving her bank and moving to another bank.

Answer: C

Explanation:
According to the GDPR, consent is one of the six lawful bases for processing personal data. Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent can be withdrawn at any time, and the withdrawal of consent must be as easy as giving it. Therefore, an individual can withdraw her consent for processing when she no longer wishes to be sent marketing materials from an organization, as this is a clear indication of her wishes and does not affect the lawfulness of the processing based on consent before its withdrawal. The other situations are not related to consent, but to other lawful bases such as contract, legitimate interest or legal obligation. Reference: Free CIPP/E Study Guide, page 9; CIPP/E Certification, page 3; GDPR, Article 4(11), Article 6(1)(a), Article 7(3).


NEW QUESTION # 63
A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data?

  • A. Provide the employee the reasons for retaining the data.
  • B. Store all of the data in case the departing worker makes a subject access request.
  • C. Destroy sensitive information and store the rest per applicable data protection rules.
  • D. Securely store the data that is required to be kept under local law.

Answer: C


NEW QUESTION # 64
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

  • A. Binding Corporate Rules are especially recommended for small and medium companies.
  • B. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
  • C. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.
  • D. The data exporter does not need to be located in the EU for the standard Contractual Clauses.

Answer: B


NEW QUESTION # 65
Why is advisable to avoid consent as a legal basis for an employer to process employee data?

  • A. An employer might have difficulty obtaining consent from every employee.
  • B. Consent may not be valid if the employee feels compelled to provide it.
  • C. Data protection laws do not apply to processing of employee data.
  • D. Employee data can only be processed if there is an approval from the data protection officer.

Answer: B


NEW QUESTION # 66
What is the most frequently used mechanism for legitimizing cross-border data transfer?

  • A. Binding Corporate Rules.
  • B. Derogations.
  • C. Standard Contractual Clauses.
  • D. Approved Code of Conduct.

Answer: C


NEW QUESTION # 67
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The contact information of the controller and a description of the retention policy.
  • B. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • C. The identity and contact details of the controller and the reasons the data is being collected.
  • D. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.

Answer: C

Explanation:
The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller's representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5. Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory. Reference: 1: Article 13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and of the GDPR 4: Article 14(1)(a) and of the GDPR 5: Recital 60 of the GDPR


NEW QUESTION # 68
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

  • A. The European Data Protection Board.
  • B. The European Commission.
  • C. The Data Protection Authority.
  • D. The Court of Justice of the European Union.

Answer: C


NEW QUESTION # 69
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

  • A. The destruction of the stolen data makes any risk to the affected data subjects unlikely.
  • B. The resulting obligation to notify data subjects would involve disproportionate effort.
  • C. The incident resulted from the actions of a third-party that were beyond their control.
  • D. The sensitivity of the categories of data involved in the incident was not substantial enough.

Answer: A

Explanation:
According to the GDPR, data controllers must report personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art 33 of GDPR). However, the notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art 33(1) of GDPR). In this case, TripBliss Inc. could argue that the stolen data was securely erased by Leon before it could be disclosed to anyone else, and therefore the risk of harm to the data subjects was minimal. TripBliss Inc. would have to provide evidence of the secure deletion of the data and the absence of any copies or backups. Alternatively, TripBliss Inc. could also invoke the exception of disproportionate effort to avoid notifying the data subjects directly, but only if they have made a public communication or similar measure to inform them in an equally effective manner (Art 34(3)(b) of GDPR). The other options are not valid defenses, as they do not affect the likelihood of risk to the data subjects. The incident was not caused by a third-party, but by an employee of Techiva, who was acting as a data processor on behalf of TripBliss Inc. As the data controller, TripBliss Inc. is responsible for ensuring that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with the GDPR (Art 28 of GDPR). The sensitivity of the data categories is not relevant for the notification obligation, as any personal data breach could pose a risk to the data subjects, depending on the circumstances. The GDPR does not provide a threshold for the sensitivity of the data, but rather requires a case-by-case assessment of the potential impact of the breach. Reference:
GDPR, Art 33, Art 34, Art 28
Free CIPP/E Study Guide, p. 15
European Data Protection Law & Practice, p. 123-124
Personal data breach notification under the GDPR


NEW QUESTION # 70
When would a data subject NOT be able to exercise the right to portability?

  • A. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
  • B. When the processing is carried out pursuant to a contract with the data subject.
  • C. When the processing is based on consent.
  • D. When the data was supplied to the controller by the data subject.

Answer: A

Explanation:
Reference https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/individual-rights/right-to-data-portability/


NEW QUESTION # 71
......

IAPP CIPP-E Official Cert Guide PDF: https://braindumps.getvalidtest.com/CIPP-E-brain-dumps.html

Related Articles

more
IAPP CIPP-E Certification Practice Exam