CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 15)

Page 15 of 68
PDF with 283 Questions

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products.
While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.

Under the GDPR, Liem and EcoMick's contract with MarketIQ must include all of the following provisions EXCEPT?

  1. Processing the personal data upon documented instructions regarding data transfers outside of the EE
  2. Notification regarding third party requests for access to Liem and EcoMick's personal data.
  3. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
  4. Returning or deleting personal data after the end of the provision of the services.

Answer(s): C



When is data sharing agreement MOST likely to be needed?

  1. When anonymized data is being shared.
  2. When personal data is being shared between commercial organizations acting as joint data controllers.
  3. When personal data is being proactively shared by a controller to support a police investigation.
  4. When personal data is being shared with a public authority with powers to require the personal data to be disclosed.

Answer(s): B

Explanation:

A data sharing agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful and to demonstrate compliance with the accountability principle under the GDPR. A data sharing agreement is most likely to be needed when personal data is being shared between commercial organizations acting as joint data controllers, because they have to determine and agree on their respective roles and responsibilities, such as the purpose and legal basis of the data sharing, the rights of the data subjects, the security measures, and the liability for any breaches. A data sharing agreement is not mandatory, but it is good practice and can help to avoid disputes and confusion. A data sharing agreement may not be needed or may be less detailed in the other scenarios, depending on the circumstances and the nature of the data. For example, anonymized data is not personal data under the GDPR and does not require a data sharing agreement, although it may still be subject to other contractual or ethical obligations. Personal data that is proactively shared by a controller to support a police investigation may be covered by a legal obligation or a public interest, and the controller may not have much control over how the data is used by the police. Personal data that is shared with a public authority with powers to require the personal data to be disclosed may also be subject to a legal obligation or a public interest, and the controller may have to comply with the authority's request without a data sharing agreement.


Reference:

Data sharing agreements | ICO, which provides guidance on the benefits and contents of a data sharing agreement.
Data Sharing Agreement - the Definition - GDPR Summary, which explains what a data sharing agreement is and when it can be used.
The role of data sharing and the GDPR | Data Republic, which discusses the impact of the GDPR on data sharing practices.



An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee.
What should the company do?

  1. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
  2. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
  3. Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.
  4. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

Answer(s): A

Explanation:

The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage. Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33(3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR. Options B, C and D are incorrect, as they do not comply with the GDPR requirements. Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions. Option C would misuse the "disproportionate effort" exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technical and organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it. Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority.


Reference:

1: Article 33(1) of the GDPR 2: Article 4(12) of the GDPR 3: Article 83(4)(a) of the GDPR 4: Article 34(3)(a) of the GDPR 5:
Article 34(1) and (2) of the GDPR



Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

  1. Name and contact details of each controller on behalf of which the processor is acting.
  2. Categories of processing carried out on behalf of each controller for which the processor is acting.
  3. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
  4. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.

Answer(s): D

Explanation:

According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:

the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D.


Reference:

GDPR, Article 30(2)
GDPR, Article 35
ICO, Documentation1
ICO, Data protection impact assessments1


https://gdpr-info.eu/art-30-gdpr/



Page 15 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote