CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 33)

Page 33 of 68
PDF with 283 Questions

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business.
While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia's complaint?

  1. T-Craze has a French affiliate.
  2. The French affiliate procured the services of Right Target.
  3. T-Craze conducts its marketing and sales activities in France.
  4. The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.

Answer(s): C

Explanation:

According to the CIPP/E study guide, Article 56 of the GDPR establishes the concept of the lead supervisory authority, which is the supervisory authority of the main or single establishment of the data controller or processor in the EU1. The lead supervisory authority has the primary responsibility for dealing with cross-border data processing, in cooperation with other concerned supervisory authorities. Article 60 of the GDPR requires the lead supervisory authority to cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. The other supervisory authorities concerned are those that are established in a Member State where the data controller or processor has an establishment or where data subjects are substantially affected or likely to be substantially affected by the processing. In the scenario, T-Craze is a German-headquartered company that has a French affiliate responsible for all marketing and sales activities. Therefore, the French supervisory authority is the lead supervisory authority for the processing of personal data related to the marketing and sales activities of T-Craze, as it is the supervisory authority of the main establishment of the data controller in the EU. The Spanish supervisory authority is a concerned supervisory authority, as it is the supervisory authority of the Member State where data subjects are likely to be substantially affected by the processing, such as Sofia who filed a complaint. Therefore, the Spanish supervisory authority notifies the French supervisory authority when it opens an investigation into T-Craze based on Sofia's complaint, in order to cooperate with the lead supervisory authority and seek consensus on the action to be taken.


Reference:

1: CIPP/E study guide, page 87; Art. 56 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)2: CIPP/E study guide, page 88; Art. 60 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).



SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business.
While Germany

Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

What is the best option for the lead regulator when responding to the Spanish supervisory authority's notice that it plans to take action regarding Sofia's complaint?

  1. Accept, because it did not receive any complaints.
  2. Accept, because GDPR permits non-lead authorities to take action for such complaints.
  3. Reject, because Right Target's processing was conducted throughout Europe.
  4. Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.

Answer(s): B

Explanation:

According to the Free CIPP/E Study Guide, page 16, "the GDPR provides for a one-stop-shop mechanism, which means that a controller or processor with establishments in several Member States will have only one supervisory authority as its interlocutor, which will act as the lead authority. However, this does not mean that the lead authority has exclusive competence to supervise all processing activities of the controller or processor throughout the EU. The GDPR also allows for the possibility of a relevant and reasoned objection by a concerned supervisory authority, which may trigger the consistency mechanism and the involvement of the European Data Protection Board (EDPB). Moreover, the GDPR recognizes the right of any supervisory authority to adopt urgent measures on its own territory or to commence legal proceedings before a court in its Member State in order to protect the rights and freedoms of data subjects." Therefore, the lead regulator should accept the Spanish supervisory authority's notice that it plans to take action regarding Sofia's complaint, as the GDPR permits non-lead authorities to take action for such complaints, especially when they involve urgent measures or legal proceedings to protect the data subjects' rights and freedoms. The other options are incorrect, as they do not reflect the GDPR's provisions on the one- stop-shop mechanism and the cooperation and consistency mechanisms.


Reference:

Free CIPP/E Study Guide, page 16
GDPR, Articles 56, 60, 61, 62, 63, 64, 65 and 66



Which of the following is one of the supervisory authority's investigative powers?

  1. To notify the controller or the processor of an alleged infringement of the GDPR.
  2. To require that controllers or processors adopt approved data protection certification mechanisms.
  3. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
  4. To require data controllers to provide them with written notification of all new processing activities.

Answer(s): A

Explanation:

According to Article 58 of the GDPR, each supervisory authority has the power to notify the controller or the processor of an alleged infringement of the GDPR as part of its investigative powers. This power allows the supervisory authority to alert the controller or the processor of a possible violation of the GDPR and to initiate further actions if necessary. The notification may also include recommendations or instructions on how to remedy the infringement or prevent further violations.


Reference:

Article 58 of the GDPR
European Data Protection Law & Practice textbook, Chapter 9: Supervision and Enforcement, Section 9.2: Supervisory Authorities, Subsection 9.2.2: Powers of Supervisory Authorities


https://gdpr-info.eu/art-58-gdpr/



Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR.
Why would such practice be permitted?

  1. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
  2. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
  3. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
  4. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer(s): B

Explanation:

According to Recital 51 of the GDPR, photographs are not automatically considered as biometric data, unless they are processed by a specific technical means that allows the unique identification or authentication of a natural person. This means that printing employees' photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes. The other options are incorrect, as they do not reflect the definition of biometric data or the conditions for processing special categories of personal data under the GDPR2.


Reference:

Recital 51 of the GDPR

ICO guidance on special category data

Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)



Page 33 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote