CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 26)

Page 26 of 68
PDF with 283 Questions

Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

  1. Personal data revealing ethnic origin.
  2. Personal data revealing genetic data.
  3. Personal data revealing financial data.
  4. Personal data revealing trade union membership.

Answer(s): C

Explanation:

Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:
personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;

personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes); data concerning health;
data concerning a person's sex life; and data concerning a person's sexual orientation.
Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc.


Reference:

Special category data | ICO
Art. 9 GDPR Processing of special categories of personal data

Special Categories of Data - International Association of Privacy Professionals


https://www.privacy-regulation.eu/en/article-9-processing-of-special-categories-of- personal-data-
GDPR.htm#:~:text=Processing%20of%20personal%20data%20revealing,concerning%20a%20natural % 20person%27s%20sex



When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

  1. When the data has been pseudonymized.
  2. When the data is protected by technological safeguards.
  3. When the data serves legitimate interest of third parties.
  4. When the data subject has failed to use a provided opt-out mechanism.

Answer(s): C

Explanation:

Section: (none)

Explanation
The GDPR provides more latitude for a company to process data beyond its original collection purpose when the data has been pseudonymized, which means that the data can no longer be attributed to a specific data subject without the use of additional information. Pseudonymization is a technique that reduces the linkability of personal data with the data subject, and enhances the security and privacy of the data processing. According to the GDPR, pseudonymization is one of the measures that can help the company to implement the principles of data protection by design and by default, and to demonstrate compliance with the GDPR obligations. Moreover, the GDPR states that the further processing of pseudonymized data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered to be incompatible with the initial purposes, provided that appropriate safeguards are in place to protect the rights and freedoms of the data subjects. Therefore, pseudonymization can enable the company to use the data for other purposes that are beneficial for society or for innovation, without compromising the privacy of the individuals.


Reference:

GDPR, Article 4 (5), Article 5 (1) (b), Article 6 (4) (e), Article 25, Article 32 (1) (a), Article 40 (2) (d), Article 89
Free CIPP/E Study Guide, page 17, section 2.4.1
CIPP/E Certification, page 12, section 1.1.3
Cipp-e Study guides, Class notes & Summaries, document "CIPP/E Exam Summary 2023", page 45, section 2.4.1
[Pseudonymisation techniques and best practices]



In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

  1. When the data is to be processed for market research.
  2. When providing preventive or counselling services to the child.
  3. When providing the child with materials purely for educational use.
  4. When a legitimate business interest makes obtaining consent impractical.

Answer(s): B

Explanation:

Under the GDPR, the processing of personal data of a child on the basis of consent requires the consent of the holder of parental responsibility over the child, unless the child is at least 16 years old or the applicable national law provides for a lower age (not below 13 years). However, there are some situations where the processing of personal data of a child without parental consent may be justified by other lawful grounds, such as the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party. One of these situations is when the processing is necessary for providing preventive or counselling services to the child, especially in the context of information society services. This is recognised by Recital 38 of the GDPR, which states that:
"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child."
Therefore, the processing of personal data of a child without parental consent may be lawful if it is necessary for providing preventive or counselling services to the child, such as health, education, social or legal services, that are offered directly to the child and that aim to protect the child's well- being, safety, development or rights. This may include, for example, online counselling platforms, sexual health advice services, anti-bullying or mental health support services, or child protection helplines. In such cases, the controller should ensure that the processing is fair, transparent, proportionate and respectful of the child's best interests, and that appropriate safeguards are in place to protect the child's personal data and rights.
The other options are not likely to justify the processing of personal data of a child without parental consent, as they do not meet the criteria of necessity, proportionality or legitimacy. The processing of personal data of a child for market research purposes is not necessary for the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party, and may pose significant risks to the child's privacy and autonomy. Therefore, such processing requires the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent. The provision of materials purely for educational use to a child may not require the processing of personal data of the child at all, or may only require the processing of minimal personal data, such as the child's name or email address. In such cases, the processing may be based on the consent of the child, if the child is old enough to understand the implications of their consent, or on the legitimate interests of the controller, if the processing is necessary for the provision of the educational materials and does not override the interests or rights of the child.

However, the controller should still inform the child and the holder of parental responsibility about the processing and provide them with the opportunity to object or withdraw their consent. The existence of a legitimate business interest does not automatically justify the processing of personal data of a child without parental consent, as the controller must also consider the impact of the processing on the rights and freedoms of the child, and whether the processing is necessary and proportionate for the pursuit of that interest. Moreover, the controller must balance the legitimate business interest against the interests or rights of the child, and ensure that the processing does not cause any harm or disadvantage to the child. If the processing involves the use of personal data of a child for the purposes of marketing or creating personality or user profiles, the controller must obtain the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent, as these purposes pose a high risk to the child's privacy and autonomy.


Reference:

GDPR Article 6, GDPR Article 8, GDPR Recital 38, Children and the UK GDPR | ICO, Guidelines on consent under Regulation 2016/679 - European Data Protection Board



An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?

  1. Only where the organisation can show that it is reasonable to do so because more than one request was made.
  2. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
  3. Only where the administrative costs of taking the action requested exceeds a certain threshold.
  4. Only if the organisation can demonstrate that the request is clearly excessive or misguided.

Answer(s): D

Explanation:

1. A request may be manifestly unfounded or excessive if it has no clear purpose, is clearly frivolous or vexatious, is made repeatedly by the same data subject, or goes beyond what is reasonably necessary to fulfil the data subject's request. In such cases, the organisation can either charge a reasonable fee or refuse to act on the request, but it must be able to justify its decision and inform the data subject of the reasons and their right to lodge a complaint with a supervisory authority or a judicial remedy. The other options are not correct, as they either do not reflect the conditions for charging a fee under the GDPR, or are not relevant to the question.


Reference:

Right of access | ICO, Charge for a Data Subject Request GDPR - GDPR Wiki



Page 26 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote