CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 32)

Page 32 of 68
PDF with 283 Questions

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

  1. Approved certifications.
  2. Binding corporate rules.
  3. Law enforcement requests.
  4. Standard contractual clauses.

Answer(s): A

Explanation:

According to Article 42 of the GDPR, the Commission may approve certification mechanisms, seals and marks for the purpose of demonstrating the existence of appropriate safeguards for personal data transfers to third countries or international organisations. These certification mechanisms, seals and marks are voluntary and transparent, and are issued by accredited certification bodies or by the competent supervisory authorities. They are subject to the general provisions on certification in Articles 42 and 43 of the GDPR. They are intended to enhance the trust of data subjects and facilitate the free flow of personal data within the Union and beyond. They are also subject to periodic review and withdrawal or suspension if the conditions for certification are not or are no longer met.


Reference:

Article 42 of the GDPR
European Data Protection Law & Practice textbook, Chapter 8: Transfers of Personal Data to Third Countries, Section 8.3: Appropriate Safeguards, Subsection 8.3.4: Certification Mechanisms, Seals and Marks
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation


https://www.anonos.com/gdpr-chapter-5-transfers-of-personal-data-to-third-countries- or- international-organisations



Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

  1. Employees must sign an ad hoc contractual agreement each time personal data is exported.
  2. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
  3. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
  4. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Answer(s): B

Explanation:

According to Article 47(2)(a) of the GDPR, binding corporate rules (BCRs) must be legally binding and apply to and be enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees. This means that all employees within the group must comply with the BCRs, irrespective of their location or the jurisdiction where they operate. The other options are incorrect, as they do not reflect the requirements of the GDPR or the guidance of the European Data Protection Board (EDPB) on BCRs.


Reference:

GDPR Article 47(2)(a)
EDPB Guidelines 3/2018 on the territorial scope of the GDPR EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation



With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

  1. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
  2. When it has been determined that adequate protection can be performed.
  3. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
  4. Only as a last resort and when interpreted restrictively.

Answer(s): D

Explanation:

The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects.


Reference:

1: Article 49 of the GDPR 2:
Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO


https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc.pdf (4)



SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business.
While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

Which of the following is T-Craze's lead supervisory authority?

  1. Germany, because that is where T-Craze is headquartered.
  2. France, because that is where T-Craze conducts processing of personal information.
  3. Spain, because that is T-Craze's primary market based on its marketing campaigns.
  4. T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.

Answer(s): A

Explanation:

According to the GDPR, the lead supervisory authority is the supervisory authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority is determined according to the location of the main establishment or the single establishment of the controller or processor in the EU. The main establishment is the place where the decisions about the purposes and means of the processing are taken, or where the controller has its central administration in the EU. The single establishment is the only place where the controller or processor is established in the EU. Therefore, in this scenario, T-Craze's lead supervisory authority is Germany, because that is where T-Craze is headquartered and where it has its main product-design office, which implies that the decisions about the processing of personal data are taken there. The other options are not correct, because the location of the processing, the market or the affiliates are not relevant for determining the lead supervisory authority.


Reference:

Free CIPP/E Study Guide, page 39; CIPP/E Certification, page 19; GDPR, Article 4(16), Article 4(22), Article 56, Recital 36.



Page 32 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote