CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 38)

Page 38 of 68
PDF with 283 Questions

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the

OBA, the advertisements contain useful products and services.

Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

  1. Because of the misrepresentation of personal data as an endorsement.
  2. Because of the juxtaposition of the quotation with others' quotations.
  3. Because of the use of personal data outside of the social networking service (SNS).
  4. Because of the misapplication of the household exception in relation to a social networking service (SNS).

Answer(s): C

Explanation:

The GDPR defines personal data as "any information relating to an identified or identifiable natural person" (Article 4(1)). This includes names, quotations, and any other data that can be linked to a specific individual. The GDPR also requires that personal data be processed lawfully, fairly, and transparently, and that it be collected for specified, explicit, and legitimate purposes (Article 5(1)). Furthermore, the GDPR grants data subjects the right to object to the processing of their personal data for direct marketing purposes or for the purposes of the legitimate interests of the controller or a third party (Article 21).
In this scenario, Serge may have grounds to object to the use of his quotation on Brady Box's home webpage, as it constitutes the processing of his personal data outside of the original purpose for which it was collected. Serge posted the quotation on Brady Box's SNS, which is a separate service from Brady Box's web page design service. By using the quotation on the home webpage, Brady Box is processing Serge's personal data for a different purpose than the one for which Serge provided it, and without his consent or a legitimate interest. This may violate the principles of purpose limitation and lawfulness under the GDPR. Moreover, Serge may object to the use of his quotation as it implies his endorsement of Brady Box's service, which may affect his reputation or interests. The other options are less likely to be valid grounds for objection, as they are not directly related to the GDPR's provisions on personal data protection. The misrepresentation of personal data as an endorsement may be a matter of contract law or consumer protection law, but not necessarily a GDPR issue. The juxtaposition of the quotation with others' quotations may not affect Serge's rights or interests, unless it creates a false or misleading impression of his views or opinions. The misapplication of the household exception in relation to a SNS may not apply in this case, as the household exception only covers the processing of personal data by a natural person in the course of a purely personal or household activity (Article 2(2)©). Serge's posting of the quotation on a SNS may not qualify as a purely personal or household activity, as it involves the disclosure of personal data to a wider audience.


Reference:

GDPR
GDPR and social media
How does GDPR affect social media marketing?
Data Protection & Social Media: How GDPR Influences Today's Social Media Marketing



SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories ­ age, income, ethnicity ­ that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva's legal responsibility as a processor?

  1. They must report it to TripBliss Inc.
  2. They must conduct a full systems audit.
  3. They must report it to the supervisory authority.
  4. They must inform customers who have used the website.

Answer(s): A

Explanation:

: According to Article 33 of the GDPR, processors must notify controllers without undue delay after becoming aware of a personal data breach. Even though Leon and Fred did not disclose the data to anyone else, the unauthorized access and copying of the log files still constitutes a personal data breach. Therefore, Techiva, as a processor, has a legal responsibility to report it to TripBliss Inc., as the controller. The other options are not legal obligations for processors, although they may be good practices or contractual terms.


Reference:

Free CIPP/E Study Guide, page 32, section 4.1.2
CIPP/E Certification, page 27, section 4.1.2
Cipp-e Study guides, Class notes & Summaries, page 38, section 4.1.2 New IAPP CIPP-E Exam Practice Questions, question 141
Processors' responsibilities, paragraph 2



SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to

Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad

  1. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
    If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?
  2. Get consent from the app users.
  3. Provide a transparent notice to users.
  4. Anonymize the data and add latency so it avoids disclosing real time locations.
  5. Obtain a court order because location data is a special category of personal data.

Answer(s): A

Explanation:

According to the GDPR, location data is a type of personal data that can reveal information about an individual's habits, preferences, or movements. Location data can also be considered as a special category of personal data if it reveals information about an individual's health, ethnic origin, or religious beliefs. Therefore, location data is subject to the GDPR's rules on the lawful processing of personal data, which require a valid legal basis, such as consent, contract, legal obligation, vital interest, public interest, or legitimate interest.
In this scenario, Who-R-U decides to track locations using its app, which means that it collects and processes location data from its app users. This data can be used to identify the app users, as well as to infer information about their interests, preferences, or behavior. Therefore, Who-R-U needs to comply with the GDPR, even if it only offers its services to Canadians, because it monitors the behavior of individuals in the EU2.
One of the possible legal bases for processing location data is consent, which means that the app users must give their informed, specific, and freely given agreement to the collection and use of their location data. Consent must be obtained before the processing starts, and it must be easy to withdraw at any time. Consent must also be granular, meaning that the app users must be able to choose which purposes and types of location data they agree to share. Therefore, if Who-R-U decides to track locations using its app, it must get consent from the app users, and provide them with clear and transparent information about how, why, and for how long their location data will be processed, who will have access to it, and what rights they have under the

GDPR12.
Who-R-U must also ensure that the consent is voluntary, and that the app users can opt out of location tracking without affecting the functionality or quality of the app.


Reference:

1 Policy Brief: Location Data Under Existing Privacy Laws | FPF. Available at: 5 (Accessed: 11 December 2023)2 What is the General Data Protection Regulation (GDPR)? | Cloudflare. Available at: 6 (Accessed: 11 December 2023).



SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad

  1. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
    The Customer for Life plan may conflict with which GDPR provision?
  2. Article 6, which requires processing to be lawful.
  3. Article 7, which requires consent to be as easy to withdraw as it is to give.
  4. Article 16, which provides data subjects with a rights to rectification.
  5. Article 20, which gives data subjects a right to data portability.

Answer(s): B

Explanation:

The Customer for Life plan may conflict with Article 7 of the GDPR, which states that "the data subject shall have the right to withdraw his or her consent at any time" and that "it shall be as easy to withdraw as to give consent" 1. The plan violates this principle by stating that customers agree not to withdraw direct marketing consent and that the company can ignore any attempts to do so. This is not a valid way of obtaining or maintaining consent, as consent must be freely given, specific, informed and unambiguous 2. Moreover, the plan may also conflict with Article 21 of the GDPR, which gives data subjects the right to object to direct marketing at any time 3.


Reference:

1: Article 7(3) of the GDPR 2: Article 4(11) of the GDPR 3: Article 21(2) of the GDPR I hope this helps. If you have any other questions, please feel free to ask.



Page 38 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote