CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 6)

Page 6 of 68
PDF with 295 Questions

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

To ensure GDPR compliance, what should be the company's position on the issue of consent?

  1. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
  2. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.
  3. Consent for data collection is implied through the parent's purchase of the action figure for the child.
  4. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.

Answer(s): D

Explanation:

According to Article 8 of the GDPR, where the processing of personal data is based on consent and the offer of an information society service (ISS) is directly made to a child, the processing is lawful only if the child is at least 16 years old, or if the consent is given or authorised by the holder of parental responsibility over the child. The GDPR allows EU member states to lower the age threshold to a minimum of 13 years. The data controller must make reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility, taking into account available technology. An ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Examples of ISS include online marketplaces, social media platforms, and online games. In this scenario, the company is offering an ISS to children, as the connected toys can talk and interact with children via the internet. The company is also processing personal data of the children, such as their voice, questions, preferences, and location. Therefore, the company must obtain parental consent for the use of the action figures before any data can be collected, unless the child is above the age threshold set by the relevant EU member state. The company must also inform the parents and the children about the nature and purpose of the data processing, the data transfers to

South Africa, and the rights of the data subjects. The company must also ensure that the data processing is fair, lawful, transparent, and in accordance with the data protection principles and the children's best interests.
The other options are incorrect because:
A) The child cannot provide consent himself, regardless of the purpose of the data processing, unless he is above the age threshold set by the relevant EU member state. The GDPR does not make any distinction between data processing for marketing or non-marketing purposes when it comes to children's consent.
B) The company does not need to obtain written authorization from the supervisory authority to process children's data, as long as it complies with the GDPR requirements and obtains parental consent. The supervisory authority is the independent public authority responsible for monitoring the application of the GDPR in each EU member state, and it can intervene only in cases of non- compliance or complaints.
C) Consent for data collection cannot be implied through the parent's purchase of the action figure for the child. The GDPR requires that consent must be freely given, specific, informed, and unambiguous, and that it must be expressed by a clear affirmative action. The purchase of a product does not meet these criteria, and it does not indicate the parent's agreement to the data processing. Moreover, the packaging of the toy does not provide sufficient information about the data processing, nor does it mention that an internet connection is required.


Reference:

Article 8 and Recitals (38) and (58) of the GDPR, Can personal data about children be collected?, Children and the UK GDPR, CIPP/E Certification



SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asi

  1. A large portion of the company's revenue is due to international sales.
    The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
    When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION.
    The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
    In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
    In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?
  2. Encrypt the data in transit over the wireless Bluetooth connection.
  3. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
  4. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
  5. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.

Answer(s): A

Explanation:

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The GDPR also provides some examples of such measures, including the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In this scenario, the company is processing personal data of children, such as their voice, questions, preferences, and location, through the connected toys that use a wireless Bluetooth connection to communicate with smartphones, tablets, cloud servers, and other toys. This poses a high risk to the security of the data, as Bluetooth is a short-range wireless technology that can be easily intercepted, hacked, or compromised by malicious actors. Therefore, the company should encrypt the data in transit over the Bluetooth connection, to prevent unauthorized access, disclosure, or alteration of the data. Encryption is a process of transforming data into an unreadable form, using a secret key or algorithm, that can only be reversed by authorized parties who have the corresponding key or algorithm. Encryption can protect the data from being accessed or modified by anyone who does not have the key or algorithm, thus ensuring the confidentiality and integrity of the data.
The other options are incorrect because:
B) Including dual-factor authentication before each use by a child in order to ensure a minimum amount of security is not a sufficient measure to protect the data in transit over the Bluetooth connection. Dual-factor authentication is a process of verifying the identity of a user by requiring two pieces of evidence, such as a password and a code sent to a phone or email.
While this may enhance the security of the user's account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, dual-factor authentication may not be suitable or convenient for children, who may not have access to a phone or email, or who may forget their passwords or codes. C) Including three-factor authentication before each use by a child in order to ensure the best level of security possible is not a necessary or proportionate measure to protect the data in transit over the Bluetooth connection. Three-factor authentication is a process of verifying the identity of a user by requiring three pieces of evidence, such as a password, a code sent to a phone or email, and a biometric feature, such as a fingerprint or a face scan.
While this may provide a high level of security for the user's account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Furthermore, three-factor authentication may not be appropriate or feasible for children, who may not have access to a phone or email, or who may not have reliable biometric features, or who may find the process too complex or cumbersome.
D) Inserting contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union, is not a relevant measure to protect the data in transit over the Bluetooth connection. Contractual clauses are legal agreements that specify the obligations and responsibilities of the parties involved in a data transfer, such as the level of data protection, the rights of data subjects, and the remedies for breaches.
While contractual clauses may be necessary to ensure the compliance of the data transfer to South Africa, which is a non-EU country that does not have an adequacy decision from the European Commission, they do not address the security of the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, contractual clauses are not a technical or organisational measure, but a legal measure, that falls under a different provision of the GDPR, namely Article 46.


Reference:

Article 32 and Recitals (75), (76), (78), (83), and (85) of the GDPR, Security of processing, Encryption, Authentication, [Contractual clauses]



Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?

  1. The payment card number of a Dutch citizen
  2. The U.S. social security number of an American citizen living in France
  3. The unlinked aggregated data used for statistical purposes by an Italian company
  4. The identification number of a German candidate for a professional examination in Germany

Answer(s): C

Explanation:

The definition of personal data under the GDPR is broad and covers any information that relates to an identified or identifiable natural person. This means that personal data can include information such as name, email, phone number, address, date of birth, race, gender, political opinions and more. The GDPR protects personal data on all levels, platforms and technologies, and requires organizations to process it only for a specific purpose and keep it for a limited time. The unlinked aggregated data used for statistical purposes by an Italian company would most likely NOT be covered by the definition of personal data under the GDPR. Aggregated data is data that has been processed in such a way that individual records are no longer identifiable. For example, if a company collects the names and email addresses of its customers and then calculates the average age of its customers, the resulting data is aggregated and not personal. Therefore, this type of data would not be subject to the GDPR.
However, this does not mean that the Italian company can use this type of data without any restrictions or obligations. The GDPR still applies to any processing activity that involves personal data in any form or manner. For example, if the Italian company uses this type of data to create a profile or a segment of its customers based on their characteristics or preferences, it may still need to comply with certain principles and conditions under the GDPR. For instance, it may need to obtain consent from its customers before using their aggregated data for marketing purposes; it may need to ensure that its aggregated data is accurate and up-to-date; it may need to limit the retention period of its aggregated data; and it may need to respect the rights of its customers regarding their personal data.


Reference:

What is personal data? | ICO
What is considered personal data under the EU GDPR?
[GDPR personal data ­ what information does this cover?]



Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

  1. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
  2. Personal data of EU citizens being processed by a controller or processor based outside the EU.
  3. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  4. Personal data of EU residents being processed by a non-EU business that targets EU customers.

Answer(s): B

Explanation:

According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis of a decision taken at a Union level that is binding for that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state. Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state. Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.
Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state. Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.


Reference:

1: Free CIPP/E Study Guide - International Association of Privacy Professionals.


https://hsfnotes.com/data/2019/12/02/edpb-adopts-final-guidelines-on-gdpr-extra- territoriality/






Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

CIPP-E Exam Discussions & Posts