CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 11)

Page 11 of 68
PDF with 283 Questions

Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  1. Within 40 days of receipt
  2. Within 40 days of receipt, which may be extended by up to 40 additional days
  3. Within one month of receipt, which may be extended by up to an additional month
  4. Within one month of receipt, which may be extended by an additional two months

Answer(s): D

Explanation:

: According to the GDPR, data controllers must respond to a data access request (also known as a subject access request or SAR) without undue delay and in any event within one month of receipt of the request. This time limit can be extended by a further two months if the request is complex or if the controller receives a number of requests from the same individual. However, the controller must still inform the individual within one month of receipt of the request and explain why the extension is necessary. The time limit is calculated from the day after the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. If there is no corresponding calendar date, the deadline is the last day of the next month. If the deadline falls on a weekend or public holiday, the response must be provided on the next working day.


Reference:

GDPR, Article 12(3)
ICO, Right of access1
ICO, Time limits for responding to data protection rights requests2


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection- regulation-gdpr/individual-rights/right-of-access/



A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop's PRIMARY obligation while engaging in this kind of profiling?

  1. It must solicit informed consent through a notice on its website
  2. It must seek authorization from the European supervisory authorities
  3. It must be able to demonstrate a prior business relationship with the customers
  4. It must prove that it uses sufficient security safeguards to protect customer data

Answer(s): A

Explanation:

The GDPR defines profiling as any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as their preferences, behaviour, or interests. Profiling is subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. The GDPR also provides specific rights for data subjects who are subject to profiling, such as the right to be informed, the right to access, the right to rectify, the right to object, and the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them. In the given scenario, the online shop is engaging in profiling by tracking the browsing behaviour of its European customers and predicting future purchases. It is also sharing this information with third parties, which may involve further processing of the personal data. Therefore, the online shop must comply with the GDPR requirements for profiling and ensure that it has a valid legal basis for the processing. According to Article 6 of the GDPR, there are six possible legal bases for processing personal data: consent, contract, legal obligation, vital interests, public interest, or legitimate interests. However, not all of them are equally applicable or appropriate for profiling activities, especially when they involve sensitive or special categories of data, such as biometric, genetic, or health data, which require additional safeguards under Article 9 of the GDPR5.

In this case, the most relevant and suitable legal basis for the online shop's profiling is consent, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous, and must be obtained before the processing begins. The online shop must also inform the data subject about the nature and purpose of the profiling, the logic involved, the consequences, and the rights they have in relation to it. The online shop must also respect the data subject's right to withdraw their consent at any time and to object to the profiling. Therefore, the online shop's primary obligation while engaging in this kind of profiling is to solicit informed consent through a notice on its website, which must be clear, concise, and easily accessible, and must not be bundled with other terms and conditions. The online shop must also provide a simple and effective mechanism for the data subject to give or revoke their consent, such as a checkbox, a slider, or a button. The online shop must also keep records of the consent obtained and be able to demonstrate that it has complied with the GDPR requirements for consent. The other options (B, C, and D) are not the primary obligation for the online shop, as they are either irrelevant or insufficient for the GDPR compliance. Seeking authorization from the European supervisory authorities is not necessary, unless the online shop is involved in a cross-border processing that requires a prior consultation under Article 36 of the GDPR. Demonstrating a prior business relationship with the customers is not a valid legal basis for the profiling, as it does not imply consent or legitimate interests. Proving that it uses sufficient security safeguards to protect customer data is a general obligation for any processing of personal data, but it does not address the specific issues and risks of profiling, such as discrimination, manipulation, or loss of control.


Reference:

1: What is automated individual decision-making and profiling?
2: Article 5 of the GDPR
3: Rights related to automated decision making including profiling
4: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]
5: Article 9 of the GDPR
6: Article 4 (11) of the GDPR
7: Article 7 of the GDPR
: Article 13 and 14 of the GDPR
: Article 21 of the GDPR
: Article 12 of the GDPR
: [Guidelines on consent under Regulation 2016/679]
: Article 24 of the GDPR
: Article 36 of the GDPR
: [Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679]
: [https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf] : [https://edpb.europa.eu/sites/edpb/files/files/file1/20171104_wp251rev01_en.pdf]



Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

  1. If the processing is to be performed by a third-party vendor
  2. If the processing involves data that is considered personal data
  3. If the processing of the data is done through automated means
  4. If the processing is used to predict the behavior of data subjects

Answer(s): A

Explanation:

The GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Therefore, the relevant factors when determining if a processing activity would be considered profiling are:
whether the processing involves data that is considered personal data; whether the processing of the data is done through automated means; and whether the processing is used to predict the behavior of data subjects. The identity of the processor, whether it is the controller or a third-party vendor, is not relevant for the definition of profiling. However, it may have implications for the accountability and responsibility of the parties involved, as well as the data protection rights of the data subjects.


Reference:

CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What is automated individual decision-making and profiling? | ICO, WP29 releases guidelines on profiling under the GDPR, UK: A Guide To GDPR Profiling And Automated Decision-Making - Mondaq



Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

  1. Carry out an exercise that weighs the interests of the controller and the basis for the data subject's objection.
  2. Consider the impact of the profiling on the data subject's interest, rights and freedoms.
  3. Demonstrate that the profiling is for the purposes of direct marketing.
  4. Consider the importance of the profiling to their particular objective.

Answer(s): C

Explanation:

: According to the UK GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller must stop the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The WP 29 Guidelines on Automated individual decision-making and Profiling provide some guidance on how to assess the existence of such compelling legitimate grounds. The controller needs to carry out an exercise that weighs the interests of the controller and the basis for the data subject's objection, consider the impact of the profiling on the data subject's interest, rights and freedoms, and consider the importance of the profiling to their particular objective. However, the controller does not need to demonstrate that the profiling is for the purposes of direct marketing, as this is a separate ground for objection under Article 21(2) of the UK GDPR, which gives the data subject an absolute right to object to such processing. Therefore, option C is the correct answer, as it is not required by the controller to demonstrate that it has compelling legitimate grounds for profiling.


Reference:

132
https://gdpr.eu/article-21-right-to-object/ https://ico.org.uk/for-organisations-2/guide-to-data- protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

https://gdpr-info.eu/art-21-gdpr/



Page 11 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote