CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 35)

Page 35 of 68
PDF with 283 Questions

A company in France suffers a robbery over the weekend owing to a faulty alarm system.
When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States.
What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

  1. Seek informed consent from company employees.
  2. Have cameras recording during work hours only.
  3. Retain captured footage for no more than 30 days.
  4. Restrict camera placement to building entrances only.

Answer(s): D

Explanation:

According to Article 5 of the GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (`integrity and confidentiality')1. The company's decision to install cameras in the entrance of the building, hallways and offices may violate this principle, as it may expose the personal data of the employees and visitors to unnecessary risks, such as hacking, misuse or disclosure. Moreover, the company must also comply with the other principles of data processing, such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation. The company must have a legitimate and specific purpose for installing the cameras, and must inform the data subjects about the processing of their personal data. The company must also ensure that the cameras collect only the minimum amount of data necessary for the purpose, and that the data are accurate and kept for no longer than necessary. The company must also respect the rights and freedoms of the data subjects, and provide them with the means to exercise their rights, such as the right to access, rectify, erase, restrict, object or port. The most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR is to restrict the camera placement to building entrances only. This would limit the scope and impact of the data processing, and reduce the risks to the personal data of the employees and visitors. The company would still need to inform the data subjects about the processing, and ensure that the footage is securely stored and transferred, especially if it is monitored by the home office in the United States, which is a third country that may not offer adequate protection for personal data. The company would also need to consider the possibility of obtaining the consent of the data subjects, or relying on another legal basis for the processing, such as the legitimate interests of the company or the performance of a contract.


Reference:

Article 5 of the GDPR
[Article 12-23 of the GDPR]
[Article 44-50 of the GDPR]
[Article 6 of the GDPR]



Which of the following is an example of direct marketing that would be subject to European data protection laws?

  1. An updated privacy notice sent to an individual's personal email address.
  2. A charity fundraising event notice sent to an individual at her business address.
  3. A service outage notification provided to an individual by recorded telephone message.
  4. A revision of contract terms conveyed to an individual by SMS from a marketing organization.

Answer(s): D

Explanation:

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service.


Reference:

[IAPP article on direct marketing (EU specific)]
Lexology article on direct marketing requirements under the GDPR



Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data.
Which of the following is NOT one of these exceptions?

  1. The processing is done by a non-profit organization and the results are disclosed outside the organization.
  2. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  3. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
  4. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

Answer(s): A

Explanation:

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person. However, there are 10 exceptions to this general prohibition, usually referred to as `conditions for processing special category data'2. These are:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law) © Vital interests
(d) Not-for-profit bodies

(e) Made public by the data subject
(f) Legal claims and judicial acts
(g) Substantial public interest conditions
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.


Reference:

4: Art. 9 GDPR Processing of special categories of personal data
6: What are the rules on special category data? | ICO


https://dataprivacymanager.net/sensitive-personal-data-special-category-under-the- gdpr/



Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

  1. Advertisements passively displayed on a website.
  2. The use of cookies to collect data about an individual.
  3. A text message to individuals from a company offering concert tickets for sale.
  4. An email from a retail outlet promoting a sale to one of their previous customer.

Answer(s): A

Explanation:

The Privacy and Electronic Communications Regulations (PECR) are derived from the e-privacy Directive 2002/58/EC, which aims to protect the privacy and confidentiality of users of electronic communications services. The PECR cover various aspects of electronic marketing, such as the use of cookies, unsolicited communications, and traffic and location data. According to the PECR, the following marketing-related activities require the consent of the user or subscriber, unless certain exemptions apply:
The use of cookies or similar technologies to store or access information on the user's device (Regulation 6).
The sending of electronic mail for direct marketing purposes to individual subscribers who have not given their prior consent (Regulation 22).
The making of unsolicited calls for direct marketing purposes to individual subscribers who have registered their number with the Telephone Preference Service or who have objected to such calls from a specific caller (Regulation 21).
The sending of unsolicited communications for direct marketing purposes by means of electronic mail, fax, or automated calling systems to corporate subscribers, unless they have indicated that they do not wish to receive such communications (Regulation 23). Therefore, among the four options, the one that is least likely to be covered by the provisions of the PECR is the advertisements passively displayed on a website, as they do not involve the use of cookies, the sending of unsolicited communications, or the processing of traffic or location data.

However, such advertisements may still be subject to other data protection laws, such as the GDPR, if they involve the processing of personal data of the users.


Reference:

PECR
e-privacy Directive
ICO guide to PECR


https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02002L0058- 20091219&from=RO



Page 35 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote