Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free IAPP CIPP-E Exam Braindumps (page: 11)

Page 11 of 68
PDF with 307 Questions

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement

Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions

Jenny is the compliance officer at Company

  1. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
    Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data.

    Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full.
    Company A enters into the contract.
    Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
    This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
    Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
    The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures.
    What would be the most realistic way that Company B could have fulfilled this requirement?
  2. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  3. Requesting advice and technical support from Company A's IT team.
  4. Avoiding the use of another company's data to improve their own services.
  5. Vetting companies' measures with the appropriate supervisory authority.

Answer(s): A

Explanation:

Article 82 of the GDPR1234 regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR. Paragraph 4 of Article 821234 states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage.

Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.


Reference:

1: Art. 82 GDPR ­ Right to compensation and liability - General Data Protection Regulation (GDPR)
2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu
3: GDPR Article 82: Right to compensation and liability - Advisera
4: Article 82 GDPR | Right to compensation and liability


https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/



In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  1. A privacy notice containing brief information whilst offering access to further detail.
  2. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
  3. An explanation of the security measures used when personal data is transferred to a third party.
  4. An efficient means of providing written consent in member states where they are required to do so.

Answer(s): A

Explanation:

A layered notice is a privacy notice designed to respond to problems with excessively long notices. A short notice -- the top layer -- provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects. The full notice -- the bottom layer -- covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed.


Reference:

2



When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

  1. Inform the subjects about the collection
  2. Provide a public notice regarding the data
  3. Upgrade security to match that of the source
  4. Update the data within a reasonable timeframe

Answer(s): A

Explanation:

: According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed.


Reference:

Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.
ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR. EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.



Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  1. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
  2. The name/s of relevant government agencies involved and the steps needed for revising the data.
  3. The identity and contact details of the controller and the reasons the data is being collected.
  4. The contact information of the controller and a description of the retention policy.

Answer(s): C

Explanation:

The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller's representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5. Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory.


Reference:

1:
Article 13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and © of the GDPR 4: Article 14(1)(a) and © of the GDPR 5: Recital 60 of the GDPR


https://gdpr-info.eu/art-13-gdpr/



Viewing page 11 of 68
Viewing questions 41 - 44 out of 307 questions



Post your Comments and Discuss IAPP CIPP-E exam prep with other Community members:

CIPP-E Exam Discussions & Posts