CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 28)

Page 28 of 68
PDF with 283 Questions

When would a data subject NOT be able to exercise the right to portability?

  1. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
  2. When the processing is carried out pursuant to a contract with the data subject.
  3. When the data was supplied to the controller by the data subject.
  4. When the processing is based on consent.

Answer(s): A

Explanation:

The right to data portability only applies when the processing is based on the data subject's consent or on a contract with the data subject. Therefore, if the processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller, the right to data portability does not apply. This is because the data subject does not have a direct influence on the purpose or the means of the processing in such cases.


Reference:

1: Article 20 of the GDPR 2:
Right to data portability | ICO 3: The right to data portability (Article 20 of the GDPR)


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection- regulation-gdpr/individual-rights/right-to-data-portability/



In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

  1. When she is leaving her bank and moving to another bank.
  2. When she has recently changed jobs and no longer works for the same company.
  3. When she disagrees with a diagnosis her doctor has recorded on her records.
  4. When she no longer wishes to be sent marketing materials from an organization.

Answer(s): D

Explanation:

According to the GDPR, consent is one of the six lawful bases for processing personal data. Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent can be withdrawn at any time, and the withdrawal of consent must be as easy as giving it. Therefore, an individual can withdraw her consent for processing when she no longer wishes to be sent marketing materials from an organization, as this is a clear indication of her wishes and does not affect the lawfulness of the processing based on consent before its withdrawal. The other situations are not related to consent, but to other lawful bases such as contract, legitimate interest or legal obligation.


Reference:

Free CIPP/E Study Guide, page 9; CIPP/E Certification, page 3; GDPR, Article 4(11), Article 6(1)(a), Article 7(3).


https://gdpr-info.eu/art-7-gdpr/



As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

  1. Supervised by the same Data Protection Officer.
  2. Consistent with Privacy Shield requirements
  3. Bound by a standard contractual clause.
  4. Inextricably linked in their businesses.

Answer(s): D

Explanation:

According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González1 that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU. This implies that search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company.


Reference:

1: CIPP/E study guide, page 16; Google Spain v AEPD and Mario Costeja González


http://curia.europa.eu/juris/document/document.jsf?docid=138782&doclang=EN



A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article.
What else must SearchCo do?

  1. Notify the newspaper that its article it is delisting the article.
  2. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.
  3. Identify other controllers who are processing the same information and inform them of the delisting request.
  4. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer(s): A

Explanation:

According to the European Data Protection Law & Practice textbook, page 326, "the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful." However, the CJEU also stated that "the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine's results following a search made on the basis of the data subject's name." Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject's right to be forgotten.


Reference:

European Data Protection Law & Practice, page 326
CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93



Page 28 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote