CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 27)

Page 27 of 68
PDF with 283 Questions

Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?

  1. The consent of the employees.
  2. The legal obligation of the employer.
  3. The legitimate interest of the public administration.
  4. The protection of the vital interest of the employees.

Answer(s): B

Explanation:

According to Article 6 of the GDPR, the processing of personal data is only lawful if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In this case, the Spanish employer would most likely depend on the legal obligation of the employer as the lawful basis for sending the personal data of its employees to the national tax authority. This is because the employer is subject to the tax laws and regulations of Spain, which require the employer to report the income and deductions of its employees to the tax authority on an annual basis. The employer must comply with this legal obligation, and the processing of the employees' personal data is necessary for this purpose. The employer does not need to obtain the consent of the employees, as consent is not a valid basis for processing personal data where there is a clear imbalance between the data subject and the controller, such as in the context of employment. The employer also does not need to rely on the legitimate interest of the public administration, as this is not a specific purpose for which the employer is processing the personal data, but rather a general interest that may be served by the tax authority. The employer also does not need to invoke the protection of the vital interest of the employees, as this basis only applies in situations where the processing is necessary to protect someone's life, such as in a medical emergency.


Reference:

Article 6 GDPR - Lawfulness of processing - General Data Protection Regulation (GDPR), Lawful basis for processing | ICO, Legal obligation as a lawful basis for processing personal data under the GDPR, [Consent in the employment context | ICO], [Vital interests | ICO]


https://www.huntonprivacyblog.com/2020/03/25/spanish-dpa-publishes-report-on-data- processing- activities-in-relation-to-covid-19/



An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

  1. Use a layered privacy notice on its website and in its email communications.
  2. Identify uses of data in a privacy notice mailed to the data subject.
  3. Provide only general information about its processing activities and offer a toll-free number for more information.
  4. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

Answer(s): A

Explanation:

The GDPR requires that the information provided to data subjects about the processing of their personal data must be concise, transparent, intelligible and easily accessible, using clear and plain language. However, this can be challenging when the processing activities are complex, diverse or voluminous. Therefore, a good practice is to use a layered privacy notice, which consists of providing a short notice with the key elements of the privacy information, such as the identity of the controller, the purposes and legal basis of the processing, the recipients of the data, the data subject's rights, and the contact details of the data protection officer or the supervisory authority. The short notice can then contain links to more detailed information, either by expanding each section or by directing the user to a separate page or document. This way, the user can easily access the information that is most relevant or important to them, without being overwhelmed by a long and complex notice. A layered privacy notice can be used on websites, in emails, in mobile apps, or in any other medium where space or attention span is limited.


Reference:

1 Art. 12 GDPR ­ Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)2 Layered Notice - International Association of Privacy Professionals3 What methods can we use to provide privacy information? | ICO. 4 Layered Notice - West Virginia.


https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission- bureau- consumer-protection-preliminary-ftc-staff-report-protecting- consumer/101201privacyreport.pdf



The GDPR requires controllers to supply data subjects with detailed information about the processing of their datA. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

  1. The recipients or categories of recipients.
  2. The categories of personal data concerned.
  3. The rights of access, erasure, restriction, and portability.
  4. The right to lodge a complaint with a supervisory authority.

Answer(s): B

Explanation:

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data.


Reference:

Art. 13 GDPR - Information to be provided where personal data are collected from the data subject Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
Article 13: Information to be provided where personal data are collected from the data subject - GDPR


https://gdpr-info.eu/art-13-gdpr/



According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject's personal data has been obtained from other sources?

  1. As soon as possible after obtaining the personal data.
  2. As soon as possible after the first communication with the data subject.
  3. Within a reasonable period after obtaining the personal data, but no later than one month.
  4. Within a reasonable period after obtaining the personal data, but no later than eight weeks.

Answer(s): C

Explanation:

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy.


Reference:

GDPR, Article 14
Free CIPP/E Study Guide, page 19, section 2.5.1
CIPP/E Certification, page 14, section 1.2.1
Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
Article 14 GDPR - GDPRhub


https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide- information-to-the- individual-data-subject/



Page 27 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote