QUESTION: 133

A worker in a European Union (EU) member state has ceased his employment with a company.
What should the employer most likely do in regard to the worker's personal data?

Destroy sensitive information and store the rest per applicable data protection rules.
Store all of the data in case the departing worker makes a subject access request.
Securely store the data that is required to be kept under local law.
Provide the employee the reasons for retaining the data.

Answer(s): C

Explanation:

: The GDPR requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed. However, the GDPR also allows member states to provide for more specific rules on the processing of employees' personal data in the employment context, including the retention periods for erasure and deletion of categories of personal data. Therefore, the employer should securely store the data that is required to be kept under local law, such as tax records, pension records, or health and safety records. The employer should also ensure that the data is protected from unauthorized or unlawful access, accidental loss, destruction, or damage. The employer should not store the data for longer than necessary or for purposes other than those for which the data was collected, unless the employee has given consent or there is another legal basis for doing so.

Reference:

1: Article 5 of the GDPR 2: Article 88 of the GDPR 3:
Data Protection and GDPR in the Workplace | Factsheets | CIPD 4: How to Manage the Retention of Employee Data | GDPR Blog

Reveal Solution Next Question

QUESTION: 134

Which of the following is NOT a role of works councils?

Determining the monetary fines to be levied against employers for data breach violations of employee data.
Determining whether to approve or reject certain decisions of the employer that affect employees.
Determining whether employees' personal data can be processed or not.
Determining what changes will affect employee working conditions.

Answer(s): A

Explanation:

Works councils are employee representative bodies that exist in some European countries, such as Germany, France, Spain and Italy. They have various roles and powers depending on the national laws and collective agreements, but generally they aim to protect and promote the interests of the employees in relation to the employer. Some of the common roles of works councils are:
Determining whether to approve or reject certain decisions of the employer that affect employees, such as transfers, dismissals, redundancies, working hours, health and safety, etc. Determining whether employees' personal data can be processed or not, based on the principle of co-determination, which means that the employer needs the consent of the works council for any data processing that involves employee monitoring, evaluation or control. Determining what changes will affect employee working conditions, such as wages, benefits, training, social facilities, etc.
However, works councils do not have the role of determining the monetary fines to be levied against employers for data breach violations of employee data. This is the role of the data protection authorities, which are independent public bodies that supervise, through investigative and corrective powers, the application of the data protection law. Works councils may cooperate with the data protection authorities or file complaints on behalf of the employees, but they do not have the authority to impose sanctions on the employers.

Reference:

Free CIPP/E Study Guide, page 27; CIPP/E Certification, page 13.

Reveal Solution Next Question

QUESTION: 135

Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

Prudent.
Important.
Proportionate.
DPA-approved.

Answer(s): C

Explanation:

According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences.

Reference:

1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.

Reveal Solution Next Question

QUESTION: 136

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

Data subjects must be sufficiently informed of the purposes for which their personal data is processed.
Processing of special categories of personal data on a large scale requires appointing a DPO.
Personal data of data subjects must always be accurate and kept up to date.
Data controllers must be in control of the data they hold at all times.

Answer(s): D

Explanation:

According to the Free CIPP/E Study Guide, page 12, "the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons." The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects.

Reference:

Free CIPP/E Study Guide, page 12
GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

https://blog.rsisecurity.com/why-byod-is-bad-for-gdpr-compliance/

Reveal Solution Next Question

Free CIPP-E Exam Braindumps (page: 34)

QUESTION: 133

Explanation:

Reference:

QUESTION: 134

Explanation:

Reference:

QUESTION: 135

Explanation:

Reference:

QUESTION: 136

Explanation:

Reference: