CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 17)

Page 17 of 68
PDF with 283 Questions

A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection.
Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

  1. Submit the contract to its own government authority.
  2. Ensure that notice is given to and consent is obtained from data subjects.
  3. Supply any information requested by a data protection authority (DPA) within 30 days.
  4. Ensure that local laws do not impede the company from meeting its contractual obligations.

Answer(s): D

Explanation:

The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations.


Reference:

1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR



Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

  1. Greece
  2. Norway
  3. Australia
  4. Switzerland

Answer(s): D

Explanation:

Adequacy is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an `essentially equivalent' level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection. On 28 June 2021, the EU Commission published two adequacy decisions in respect of the UK: one for transfers under the EU GDPR; and the other for transfers under the Law Enforcement Directive (LED)2. These decisions contain the European Commission's detailed assessment of the UK's laws and systems for protecting personal data, as well as the legislation designating the UK as adequate. Both adequacy decisions are expected to last until 27 June 20252. Among the four options given, only Switzerland has been granted an adequacy decision by the EU, which means that it will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary. Greece is a member state of the EU, so it does not need an adequacy decision to receive personal data from the EU. Norway is a member of the

European Economic Area (EEA), which also includes Iceland and Liechtenstein, and has incorporated the GDPR into its national law, so it also does not need an adequacy decision. Australia has not been recognised as adequate by the EU, so transfers of personal data from the EU to Australia require appropriate safeguards or derogations. Therefore, the correct answer is D. Switzerland.


Reference:

https://pages.iapp.org/Free-Study-Guides_CIPPE-PPC-EU.html https://data-privacy- office.eu/courses/cipp-e-official-training-course/


https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data- protection/ adequacy-decisions_en



A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution.
Which of the following statements would help the company make an effective decision?

  1. Binding Corporate Rules are especially recommended for small and medium companies.
  2. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
  3. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
  4. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Answer(s): C

Explanation:

According to the GDPR, transfers of personal data to third countries or international organisations are only allowed if the controller or processor complies with the conditions laid down in Chapter V of the GDPR1. One of these conditions is the existence of an adequacy decision by the European Commission, which means that the third country or international organisation ensures an adequate level of protection for the personal data. However, if there is no adequacy decision, the controller or processor must provide appropriate safeguards for the data transfer, such as binding corporate rules (BCR) or standard contractual clauses (SCC)3.
Binding corporate rules (BCR) are internal rules adopted by a group of undertakings or enterprises engaged in a joint economic activity, which define its global policy with regard to the international transfers of personal data within the same corporate group or business partners located in third countries. BCR must include all the general data protection principles and enforceable rights to ensure appropriate safeguards for the data transfers. They must be legally binding and enforced by every member concerned of the group. BCR must be approved by the competent supervisory authority in accordance with the consistency mechanism provided by the GDPR6. Standard contractual clauses (SCC) are sets of contractual terms and conditions that the controller or processor and the recipient of the data agree to apply to the data transfer. SCC are adopted by the European Commission or by a supervisory authority in accordance with the consistency mechanism and are available in the Official Journal of the European Union. SCC must offer sufficient safeguards on data protection for the data to be transferred internationally. In the given scenario, option C is the statement that would help the company make an effective decision between BCR and SCC, as it highlights the main advantage of BCR over SCC, which is the global and comprehensive solution that BCR provide for all the entities of a company that are bound by the intra-group agreement. BCR are especially suitable for large and complex organisations that have frequent and high-volume data transfers within the same corporate group or business partners located in third countries. BCR also offer more flexibility and legal certainty than SCC, as they are tailored to the specific needs and structure of the group and do not require individual contracts for each data transfer.
The other options (A, B, and D) are either incorrect or misleading statements that would not help the company make an effective decision between BCR and SCC. Option A is incorrect, as BCR are not recommended for small and medium companies, but rather for large and complex ones, as explained above. Option B is misleading, as it implies that the data exporter can be located outside the EU for the SCC, which is true, but not relevant for the comparison with BCR, as the data exporter can also be located outside the EU for the BCR, as long as it is subject to the GDPR by virtue of Article 3(2). Option D is also misleading, as it implies that the company will need the prior authorization of all EU data protection authorities for concluding SCC, which is false, as the company will only need the prior authorization of the competent supervisory authority in the Member State where the data exporter is established, unless the SCC are modified or supplemented by additional clauses or safeguards.


Reference:

1: [Article 44 of the GDPR]
2: [Article 45 of the GDPR]
3: [Article 46 of the GDPR]
4: [Article 4 (20) of the GDPR]
5: [Article 47 of the GDPR]
6: [Article 63 of the GDPR]
7: [Article 93 of the GDPR]
8: [Article 46 (2) © and (d) of the GDPR]
: [Binding Corporate Rules (BCR)]
: [Article 3 (2) of the GDPR]
: [Article 46 (3) (a) and (b) of the GDPR]
: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)] : [Binding Corporate Rules (BCR) - European Commission] : [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679] : [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data- protection/binding-corporate-rules-bcr_en]
: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679] : [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data- protection/binding-corporate-rules-bcr_en]



Under the GDPR, which of the following is true in regard to adequacy decisions involving cross- border transfers?

  1. The European Commission can adopt an adequacy decision for individual companies.
  2. The European Commission can adopt, repeal or amend an existing adequacy decision.
  3. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
  4. To be considered as adequate, third countries must implement the EU General Data Protection
    Regulation into their national legislation.

Answer(s): B

Explanation:

According to Article 45 of the GDPR, the European Commission has the power to determine whether a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data. This means that personal data can flow from the EU and the EEA to that third country without any further safeguard being necessary. The adequacy decision is based on an assessment of the legal framework, the enforcement mechanisms, the access by public authorities, the international commitments and the cooperation with the EU of the third country or organisation. The European Commission also monitors the functioning of the adequacy decisions and can repeal, amend or suspend them if the level of protection is no longer ensured. The European Commission has so far recognised several countries and organisations as providing adequate protection, such as Japan, Canada, Switzerland, the UK and the EU-US Data Privacy Framework.


Reference:

GDPR Article 45, Data protection adequacy for non-EU countries, Adequacy decisions | European Data Protection Board


https://www.futurelearn.com/courses/general-data-protection-regulation/0/steps/32449



Page 17 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote