CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 29)

Page 29 of 68
PDF with 283 Questions

What are the obligations of a processor that engages a sub-processor?

  1. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
  2. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
  3. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
  4. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Answer(s): D

Explanation:

According to Article 28(2) of the GDPR, the processor may not engage another processor (sub- processor) without the prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Furthermore, Article 28(4) of the GDPR states that where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Therefore, the processor must ensure that the sub- processor complies with data processing obligations that are equivalent to those that apply to the processor.


Reference:

Article 28 of the GDPR
European Data Protection Law & Practice textbook, Chapter 6: Data Processing Obligations, Section 6.3: Processor Obligations, Subsection 6.3.2: Sub-processors


https://inplp.com/latest-news/article/gdpr-rights-and-obligations-of-sub-processors/



What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

  1. An obligation on the processor to report any personal data breach to the controller within 72 hours.
  2. An obligation on both parties to report any serious personal data breach to the supervisory authority.
  3. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
  4. An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.

Answer(s): D

Explanation:

According to Article 28(3)(f) of the GDPR, the written agreement between the controller and the processor must include an obligation on the processor to assist the controller in ensuring compliance with the controller's obligations pursuant to Articles 32 to 36 of the GDPR. These obligations include notifying the supervisory authority and the data subjects about personal data breaches, as well as conducting data protection impact assessments and consulting with the supervisory authority when required. The processor must assist the controller by taking appropriate technical and organisational measures, insofar as this is possible, and considering the nature of the processing and the information available to the processor.


Reference:

GDPR Article 28(3)(f)
CIPP/E Textbook, Chapter 6, Section 6.2.2, page 154
Free CIPP/E Study Guide, page 18



To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.

Regarding the domain of the controller-processor relationships, how is this situation considered?

  1. Compliant with the security principle, because the data base is password-protected.
  2. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
  3. Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.
  4. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.

Answer(s): B

Explanation:

The GDPR requires that the processor only processes personal data on behalf of the controller and according to the controller's instructions. The agreement between the controller and the processor must include provisions that ensure that the processor does not process personal data for any other purposes or in a manner that is inconsistent with the controller's instructions. Therefore, if the processor stores personal data that is not necessary for the performance of the contract with the controller, such as the social network followers of the client, this is a breach of the GDPR and the processor may be fined. The fact that the data base is password-protected does not affect the applicability of the GDPR or the security principle, as the data is still personal data that can identify data subjects. The storage limitation principle also requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed, so deleting the data base after the audit does not make the situation compliant.


Reference:

1: Article 28 of the GDPR 2:
Guidelines 07/2020 on the concepts of controller and processor in the GDPR 3: Understanding Controller-to-Processor Agreements - GDPR Advisor 4: New Guidelines on Data Controllers and Processors: Time to Review Data Processing Agreements : Article 4 of the GDPR : Article 5 of the GDPR



There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

  1. Consent management and withdrawal.
  2. Incident detection and response.
  3. Preventative security.
  4. Remedial security.

Answer(s): A

Explanation:

A) Consent management and withdrawal. Comprehensive Article 32 of the GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. These measures should take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. The three domains of security covered by Article 32 are:
Preventative security: This refers to the measures that aim to prevent or reduce the likelihood of security incidents, such as unauthorized or unlawful access, disclosure, alteration, loss or destruction of personal data. Examples of preventative security measures include encryption, pseudonymization, access control, firewalls, antivirus software, etc.
Incident detection and response: This refers to the measures that aim to detect, analyze, contain, eradicate and recover from security incidents, as well as to notify the relevant authorities and data subjects, and to document the facts and actions taken. Examples of incident detection and response measures include security monitoring, logging, auditing, incident response plans, breach notification procedures, etc.
Remedial security: This refers to the measures that aim to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, as well as to mitigate the adverse effects of security incidents on the data subjects. Examples of remedial security measures include backup, disaster recovery, business continuity, compensation, etc. Consent management and withdrawal is not a domain of security covered by Article 32, but rather a requirement for the lawfulness of processing based on consent under Article 6(1)(a) and Article 7 of the GDPR. Consent management and withdrawal involves obtaining, recording, updating and revoking the consent of data subjects for specific purposes of processing, as well as informing them of their right to withdraw their consent at any time.


Reference:

Free CIPP/E Study Guide, page 35; CIPP/E Certification, page 17; GDPR, Article 32, Article 6(1)(a), Article 7.



Page 29 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote