Authentic CIPP-E Dumps With 100% Passing Rate Practice Tests Dumps [Q95-Q119]

Share

Authentic CIPP-E Dumps With 100% Passing Rate Practice Tests Dumps

IAPP CIPP-E Real Exam Questions Guaranteed Updated Dump from ValidDumps


The CIPP-E exam covers key topics such as the European privacy framework, data protection principles, and the GDPR (General Data Protection Regulation). Certified Information Privacy Professional/Europe (CIPP/E) certification program provides individuals with the necessary skills and knowledge to navigate the complex and ever-changing landscape of privacy laws and regulations in Europe. The CIPP-E exam not only provides individuals with a competitive advantage in their careers, but it also demonstrates their commitment to upholding the highest standards of privacy and data protection.

 

NEW QUESTION # 95
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

  • A. More information about what students have been told and how the research will be used.
  • B. More information about Frank's data protection training.
  • C. More information about the algorithm Frank used to mask student numbers.
  • D. More information about the extent of the information loss.

Answer: A


NEW QUESTION # 96
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

  • A. The requirement to demonstrate compliance to a supervisory authority.
  • B. The obligation of companies to declare data breaches.
  • C. The necessity of the bulk collection of personal data by the government.

Answer: A

Explanation:
Reference https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0449&from=HU


NEW QUESTION # 97
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.
What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?

  • A. Ruth's implied consent.
  • B. Protecting against legal liability from Ruth.
  • C. Protecting the vital interest of Ruth.
  • D. Performance of a contract with Ruth.

Answer: C

Explanation:
According to the GDPR, one of the legal bases for transferring personal data to a third country or an international organization is when the transfer is necessary for the protection of the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent (Article 49(1)). This exception applies only in very limited and exceptional situations, such as life-threatening medical emergencies. In this scenario, ProStorage most likely relied on this legal basis to transfer Ruth's medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. Ruth was presumably unable to give her consent due to her health condition, and the transfer of her medical information was necessary to protect her vital interests, such as her life or health. Therefore, this transfer mechanism was more appropriate than the other options, which either require consent or are not relevant to the situation.


NEW QUESTION # 98
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?

  • A. The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.
  • B. It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.
  • C. The data storage period has to be revised, and a data processing agreement w*h AWS must be signed
  • D. AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.

Answer: C

Explanation:
According to the GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed1. Therefore, the data storage period of the backup system must be aligned with this principle and reviewed regularly. Moreover, the GDPR requires that when a controller (the company) uses a processor (AWS) to process personal data on its behalf, it must ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subjects2. This is usually done by signing a data processing agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3. AWS offers a GDPR-compliant Data Processing Addendum (DPA) that is incorporated into the AWS Service Terms and applies automatically to all customers who require it to comply with the GDPR4. Reference:
Free CIPP/E Study Guide, page 24, section 4.2.1
Free CIPP/E Study Guide, page 25, section 4.3
GDPR, Article 28
GDPR - Amazon Web Services (AWS), section "GDPR resources"


NEW QUESTION # 99
Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

  • A. Proportionate.
  • B. Prudent.
  • C. DPA-approved.
  • D. Important.

Answer: A

Explanation:
According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences. Reference: 1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.


NEW QUESTION # 100
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

  • A. Encrypting data in transit and at rest using strong encryption algorithms.
  • B. Conducting regular audits of the data protection program.
  • C. Anonymizing special categories of data.
  • D. Getting consent from the data subject for a cross border data transfer.

Answer: B

Explanation:
The accountability principle found in Article 5, Section 2 of the GDPR requires data controllers to take responsibility for complying with the GDPR and to be able to demonstrate their compliance1. This means that data controllers must implement appropriate technical and organisational measures to ensure and show that they process personal data in accordance with the GDPR2. One of the measures that can demonstrate compliance with the accountability principle is conducting regular audits of the data protection program. Audits are systematic and independent assessments of the data processing activities and the data protection policies and procedures of an organisation3. They can help to identify and address any gaps or risks in the data protection program, as well as to verify the effectiveness and efficiency of the data protection measures3. Audits can also provide evidence of compliance to the supervisory authorities and the data subjects, as well as to enhance the trust and reputation of the organisation3. Therefore, conducting regular audits of the data protection program is a way to demonstrate compliance with the accountability principle. Reference: 1: CIPP/E study guide, page 15; Art. 5 GDPR; Accountability principle | ICO2: CIPP/E study guide, page 16; Art. 24 GDPR; [Guide to accountability and governance | ICO]3: CIPP/E study guide, page 91; [Auditing | ICO]; [GDPR Audits: What You Need to Know - IT Governance Blog].


NEW QUESTION # 101
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

  • A. The group of undertakings must be comprised of organizations of similar sizes and functions.
  • B. The data protection officer must be easily accessible from each establishment where the undertakings are located.
  • C. The group of undertakings must obtain approval from a supervisory authority.
  • D. The data protection officer must be located in the country where the data controller has its main establishment.

Answer: B


NEW QUESTION # 102
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

  • A. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
  • B. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
  • C. The right to privacy has to be balanced against other rights under the ECHR
  • D. The right to privacy is an absolute right

Answer: C

Explanation:
Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR. Reference:
Article 8 - Protection of personal data
Your right to respect for private and family life
Right to respect for private and family life
Guide on Article 8 of the European Convention on Human Rights
European Convention on Human Rights - Article 8


NEW QUESTION # 103
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

  • A. Personal data revealing ethnic origin.
  • B. Personal data revealing trade union membership.
  • C. Personal data revealing financial data.
  • D. Personal data revealing genetic data.

Answer: C

Explanation:
Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:
personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person's sex life; and
data concerning a person's sexual orientation.
Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. Reference:
Special category data | ICO
Art. 9 GDPR Processing of special categories of personal data
Special Categories of Data - International Association of Privacy Professionals


NEW QUESTION # 104
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

  • A. To create and maintain records of processing activities.
  • B. To create procedures for notification of personal data breaches to competent supervisory authorities.
  • C. To monitor compliance with other local or European data protection provisions.
  • D. To conduct Privacy Impact Assessments on behalf of the controller or processor.

Answer: C

Explanation:
Reference https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required- gdpr-compliance


NEW QUESTION # 105
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

  • A. The requirements affected individuals without exception.
  • B. The requirements were financially burdensome to EU businesses.
  • C. The requirements had limitations on how national authorities could use data.
  • D. The requirements specified that data must be held within the EU.

Answer: A

Explanation:
The Data Retention Directive was a EU law that required providers of electronic communications services to retain certain data, such as traffic and location data, for a period of between six months and two years, for the purpose of preventing, investigating, detecting and prosecuting serious crime1. However, in 2014, the Court of Justice of the European Union declared the Directive invalid, because it violated the fundamental rights to respect for private life and to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU2. The Court found that the Directive entailed a wide-ranging and particularly serious interference with those rights, without being limited to what is strictly necessary3. One of the reasons for this finding was that the Directive applied to all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception, thus affecting the entire population of the EU4. The Court also noted that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access, and did not require the data to be retained within the EU5. Reference: 1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC2 Charter of Fundamental Rights of the European Union3 Press release No 54/14 - Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others4 Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Karntner Landesregierung and Others. Requests for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria). Joined cases C-293/12 and C-594/125 Ibid.
Reference:
%20the%20Grand,proportionality%20in%20forging%20the%20Directive.


NEW QUESTION # 106
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

  • A. A mandatory notification for personal data breaches applicable to all data controllers.
  • B. A voluntary notification for personal data breaches applicable to all data controllers.
  • C. A mandatory notification for personal data breaches applicable to electronic communication providers.
  • D. A voluntary notification for personal data breaches applicable to electronic communication providers.

Answer: C

Explanation:
The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. Reference: e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches


NEW QUESTION # 107
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within 40 days of receipt
  • B. Within 40 days of receipt, which may be extended by up to 40 additional days
  • C. Within one month of receipt, which may be extended by up to an additional month
  • D. Within one month of receipt, which may be extended by an additional two months

Answer: C


NEW QUESTION # 108
Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?

  • A. A natural person in the course of processing purely personal or household data on behalf of a spouse who is beyond the age of majority.
  • B. A natural person processing data foe a small-scale, purely personal or household activity.
  • C. A natural person in the course of activity conducted purely tor a personally-owned sole proprietorship.
  • D. A natural person in the course of a large-scale but purely personal or household activity.

Answer: D

Explanation:
The material scope of the GDPR is outlined in Article 21. The Regulation applies to 'processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.'1 However, the Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity1. This exemption is meant to protect the privacy of individuals in their private sphere and to exclude activities that have no connection with a professional or commercial activity2. The exemption covers activities such as correspondence, social networking, online publication of photos or videos, and the use of online services for personal purposes2. However, the exemption does not apply if the processing of personal data affects the rights and freedoms of others, such as when the data is made accessible to an indefinite number of people3. Therefore, the processing of personal data by a natural person in the course of a large-scale but purely personal or household activity is not exempt from the material scope of the GDPR, as it may have an impact on the privacy of other individuals. The other options are exempt from the material scope of the GDPR, as they involve small-scale, purely personal or household activities that do not affect the rights and freedoms of others. Reference: 1: Article 2 of the GDPR2: Recital 18 of the GDPR3: CJEU, Case C-101/01, Lindqvist, 2003.


NEW QUESTION # 109
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

  • A. Ensure that notice is given to and consent is obtained from data subjects.
  • B. Supply any information requested by a data protection authority (DPA) within 30 days.
  • C. Ensure that local laws do not impede the company from meeting its contractual obligations.
  • D. Submit the contract to its own government authority.

Answer: D


NEW QUESTION # 110
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

  • A. Information about how providing consent could affect them as employees.
  • B. Information about how the measures are in the best interests of the company.
  • C. Information about what is specified in the employment contract.
  • D. Information about who employees should contact with any queries.

Answer: C


NEW QUESTION # 111
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

  • A. Switzerland
  • B. Greece
  • C. Norway
  • D. Australia

Answer: A

Explanation:
Adequacy is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an 'essentially equivalent' level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary12.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection13. On 28 June 2021, the EU Commission published two adequacy decisions in respect of the UK: one for transfers under the EU GDPR; and the other for transfers under the Law Enforcement Directive (LED)2. These decisions contain the European Commission's detailed assessment of the UK's laws and systems for protecting personal data, as well as the legislation designating the UK as adequate. Both adequacy decisions are expected to last until 27 June 20252.
Among the four options given, only Switzerland has been granted an adequacy decision by the EU, which means that it will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary. Greece is a member state of the EU, so it does not need an adequacy decision to receive personal data from the EU. Norway is a member of the European Economic Area (EEA), which also includes Iceland and Liechtenstein, and has incorporated the GDPR into its national law, so it also does not need an adequacy decision. Australia has not been recognised as adequate by the EU, so transfers of personal data from the EU to Australia require appropriate safeguards or derogations13. Therefore, the correct answer is D. Switzerland. Reference:
https://pages.iapp.org/Free-Study-Guides_CIPPE-PPC-EU.html https://data-privacy-office.eu/courses/cipp-e-official-training-course/


NEW QUESTION # 112
Higher fines are assessed for GDPR violations due to which of the following?

  • A. Violations of a data controller's obligations to obtain a child's consent
  • B. Violations of a data subject"s rights
  • C. Failure to notify a supervisory authority and data subjects of a personal data breach
  • D. Failure to appoint a data protection officer.

Answer: B

Explanation:
The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as the intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements1. The lower tier of fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The lower tier of fines applies to infringements of the GDPR relating to the following aspects1:
The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43; The obligations of the certification body pursuant to Articles 42 and 43; The obligations of the monitoring body pursuant to Article 41 (4). The higher tier of fines can be up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The higher tier of fines applies to infringements of the GDPR relating to the following aspects1:
The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9; The data subjects' rights pursuant to Articles 12 to 22; The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; Any obligations pursuant to Member State law adopted under Chapter IX; Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1). Therefore, higher fines are assessed for GDPR violations due to violations of a data subject's rights, as these are among the infringements that fall under the higher tier of fines. Data subjects' rights are the rights granted to individuals whose personal data are processed by controllers or processors, such as the right to access, rectify, erase, restrict, object, or port their data, as well as the right to be informed, to withdraw consent, and to lodge a complaint1. Violations of these rights can cause significant harm to the data subjects and undermine the objectives of the GDPR. Therefore, option D is the correct answer. Reference: Art. 83 GDPR - General conditions for imposing administrative fines, Article 83 GDPR - GDPRhub


NEW QUESTION # 113
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University's records does Anna NOT have to include in her record of processing activities?

  • A. Department for Education records
  • B. Staff and alumni records
  • C. Student records
  • D. Frank's performance database

Answer: D


NEW QUESTION # 114
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?

  • A. Data access disputes
  • B. Cross-border processing
  • C. Special categories of data
  • D. Data subject rights

Answer: B


NEW QUESTION # 115
Which type of personal data does the GDPR define as a "special category" of personal data?

  • A. Closed Circuit Television (CCTV) footage.
  • B. Educational history.
  • C. Trade-union membership.
  • D. Financial information.

Answer: C

Explanation:
According to Article 9 of the GDPR, special category data is personal data that needs more protection because it is sensitive. The GDPR defines 10 types of personal data as special categories, which are:
personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person's sex life; and
data concerning a person's sexual orientation.
Among the answer choices, only option B falls under one of these categories, as trade union membership is considered to reveal political opinions or beliefs. Option A, C and D are not considered as special category data, as they do not reveal any sensitive information about the data subject. However, they are still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. Reference:
Special category data | ICO
Art. 9 GDPR Processing of special categories of personal data
Special Categories of Data - International Association of Privacy Professionals


NEW QUESTION # 116
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

  • A. The supplier allows customer data to be transferred around the infrastructure according to capacity.
  • B. The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.
  • C. The supplier assumes the vendor's business risk associated with data processed by the supplier.
  • D. The supplier determines the location, security measures, and service standards applicable to the processing.

Answer: C


NEW QUESTION # 117
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?

  • A. Ruth's implied consent.
  • B. Protecting against legal liability from Ruth.
  • C. Protecting the vital interest of Ruth
  • D. Performance of a contract with Ruth.

Answer: B


NEW QUESTION # 118
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention
108?

  • A. Both require notification of processing activities to a supervisory authority
  • B. Both only apply to European Union countries
  • C. Both govern the manual processing of personal data
  • D. Both govern international transfers of personal data

Answer: A


NEW QUESTION # 119
......


The CIPP-E certification is highly valued by employers in the EU and beyond. It provides individuals with a competitive edge in the job market and demonstrates their expertise in the field of data protection and privacy. Certified Information Privacy Professional/Europe (CIPP/E) certification also provides individuals with access to a global community of privacy professionals and resources, including networking opportunities, educational events, and online forums.

 

Verified Pass CIPP-E Exam in First Attempt Guaranteed: https://www.validdumps.top/CIPP-E-exam-torrent.html

Free CIPP-E Sample Questions and 100% Cover Real Exam Questions: https://drive.google.com/open?id=1L0G7pYBtfqAqU_4EtaHj5LF-5IF52rbN