Free CIPP-E Exam Braindumps (page: 31)

Page 31 of 68

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  1. Incidents of personal data breaches, whether disclosed or not.
  2. Data inventory or data mapping exercises that have been conducted.
  3. Categories of recipients to whom the personal data have been disclosed.
  4. Retention periods for erasure and deletion of categories of personal data.

Answer(s): A

Explanation:

Article 30 of the GDPR requires controllers and processors to maintain records of their processing activities, which include information such as the purposes of the processing, the categories of personal data, the recipients of the data, the retention periods, and the security measures. However, Article 30 does not require controllers to keep records of incidents of personal data breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34, which require controllers to notify the supervisory authority and the data subjects of any personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.


Reference:

1: Article 30 of the GDPR 2: What do we need to document under Article 30 of the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR Section: (none)

Explanation


https://medium.com/golden-data/what-records-must-controllers-and-processors-keep- to-comply- with-eu-data-protection-law-3e8bac177695



In which scenario is a Controller most likely required to undertake a Data Protection Impact

Assessment?

  1. When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.
  2. When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.
  3. When the controller is required to have a Data Protection Officer.
  4. When personal data is being transferred outside of the EEA.

Answer(s): B

Explanation:

According to the GDPR, a data protection impact assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. A DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. The GDPR provides a list of examples of processing operations that require a DPIA, such as:
Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
Systematic monitoring of a publicly accessible area on a large scale. Therefore, an example of a scenario where a controller is most likely required to undertake a DPIA is when personal data is being collected and combined with other personal data to profile the creditworthiness of individuals, as this involves a systematic and extensive evaluation of personal aspects based on automated processing and profiling, and may have significant effects on the individuals. The other scenarios are not necessarily indicative of a high risk to the rights and freedoms of natural persons, and do not fall under the examples of processing operations that require a DPIA provided by the GDPR.


Reference:

Free CIPP/E Study Guide, page 37; CIPP/E Certification, page 18; GDPR, Article 35, Recital 91.


https://www.tandfonline.com/doi/full/10.1080/13600834.2020.1790092#:~:text=Article%2035%20o f
%20the%20General,and%20freedoms%20of%20natural%20persons%27.



Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

  1. Anonymizing special categories of data.
  2. Conducting regular audits of the data protection program.
  3. Getting consent from the data subject for a cross border data transfer.
  4. Encrypting data in transit and at rest using strong encryption algorithms.

Answer(s): B

Explanation:

The accountability principle found in Article 5, Section 2 of the GDPR requires data controllers to take responsibility for complying with the GDPR and to be able to demonstrate their compliance. This means that data controllers must implement appropriate technical and organisational measures to ensure and show that they process personal data in accordance with the GDPR2. One of the measures that can demonstrate compliance with the accountability principle is conducting regular audits of the data protection program. Audits are systematic and independent assessments of the data processing activities and the data protection policies and procedures of an organisation. They can help to identify and address any gaps or risks in the data protection program, as well as to verify the effectiveness and efficiency of the data protection measures. Audits can also provide evidence of compliance to the supervisory authorities and the data subjects, as well as to enhance the trust and reputation of the organisation. Therefore, conducting regular audits of the data protection program is a way to demonstrate compliance with the accountability principle.


Reference:

1: CIPP/E study guide, page 15; Art. 5 GDPR; Accountability principle | ICO2:
CIPP/E study guide, page 16; Art. 24 GDPR; [Guide to accountability and governance | ICO]3: CIPP/E study guide, page 91; [Auditing | ICO]; [GDPR Audits: What You Need to Know - IT Governance Blog].



SCENARIO

Please use the following to answer the next question:

Dynaroux Fashion (`Dynaroux') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that

Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Dynaroux may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux's business plan and associated processing activities.

Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?

  1. The company will be undertaking processing activities involving sensitive data categories such as financial and children's data.
  2. The company employs approximately 650 people and will therefore be carrying out extensive processing activities.
  3. The company plans to undertake profiling of its customers through analysis of their purchasing patterns.
  4. The company intends to shift their business model to rely more heavily on online shopping.

Answer(s): C

Explanation:

According to the Free CIPP/E Study Guide, page 14, "the GDPR requires controllers to carry out a data protection impact assessment (DPIA) prior to processing where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons." The GDPR also provides a list of examples of processing operations that require a DPIA, such as "a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person" (Article 35(3)(a)). Therefore, the fact that Dynaroux plans to undertake profiling of its customers through analysis of their purchasing patterns would trigger a DPIA under the GDPR, as it involves a systematic and extensive evaluation of personal aspects based on automated processing that may significantly affect the customers. The other options are not necessarily cases where a DPIA is required, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects.


Reference:

Free CIPP/E Study Guide, page 14
GDPR, Article 35



Page 31 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote