CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 7)

Page 7 of 68
PDF with 295 Questions

How does the GDPR now define "processing"?

  1. Any act involving the collecting and recording of personal data.
  2. Any operation or set of operations performed on personal data or on sets of personal data.
  3. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
  4. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Answer(s): B

Explanation:

The GDPR defines processing as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" (Article 4(2)). This is a broad definition that covers almost any activity involving personal data, regardless of the method or means used. The GDPR also specifies that processing should be lawful, fair and transparent, and should respect the principles of data protection by design and by default (Article 5).


Reference:

CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, [GDPR - EUR-Lex]
I hope this helps. If you have any other questions, please let me know.


https://gdpr-info.eu/issues/processing/



What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

  1. The controller will be liable to pay an administrative fine
  2. The processor will be liable to pay compensation to affected data subjects
  3. The processor will be considered to be a controller in respect of the processing concerned
  4. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Answer(s): C

Explanation:

According to the UK GDPR, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A processor must act only on the documented instructions of the controller and must not process the data for its own purposes or in a way that is incompatible with the controller's purposes. If a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller, it will be considered to be a controller in respect of that processing and will be subject to the same obligations and liabilities as a controller under the UK GDPR1. This means that the processor will have to comply with the data protection principles, ensure the rights of data subjects, implement appropriate technical and organisational measures, report data breaches, conduct data protection impact assessments, appoint a data protection officer if required, and cooperate with the supervisory authority. The processor will also be exposed to the risk of administrative fines, compensation claims, and reputational damage.


Reference:

1

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and- processors/controllers-and-processors/what-are-controllers-and-processors/


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection- regulation-gdpr/key-definitions/controllers-and-processors/



According to the GDPR, how is pseudonymous personal data defined?

  1. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
  2. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
  3. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
  4. Data that has been encrypted or is subject to other technical safeguards.

Answer(s): A

Explanation:

Pseudonymisation is a technique that replaces, removes or transforms information that identifies individuals, and keeps that information separate from the rest of the data. Pseudonymised data is still personal data under the GDPR, because it can be re-identified with the use of additional information. However, pseudonymisation can reduce the risks of processing personal data and help comply with data protection principles and obligations. Pseudonymisation is different from anonymisation, which is the process of irreversibly transforming personal data so that the data subject is no longer identifiable.


Reference:

GDPR Article 4(5), which defines pseudonymisation.
GDPR Recital 26, which explains the difference between pseudonymisation and anonymisation. EDPS blog post, which provides an overview of pseudonymisation and its benefits. ICO guidance, which gives practical advice on how to implement pseudonymisation.


https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/



Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

  1. When the personal data is processed only in non-electronic form
  2. When the personal data is collected and then pseudonymised by the controller
  3. When the personal data is held by the controller but not processed for further purposes
  4. When the personal data is processed by an individual only for their household activities

Answer(s): D

Explanation:

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity. This means that individuals can process personal data without being subject to the GDPR, as long as the processing is not related to a professional or commercial activity. For example, the GDPR does not apply to an individual who keeps a personal address book or who posts photos of their family and friends on a social media platform, as long as the platform is not used for business purposes.


Reference:

1: Article 2(1) of the GDPR 2: Article 2(2)© of the GDPR 3: Recital 18 of the GDPR


https://gdpr-info.eu/art-6-gdpr/






Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

CIPP-E Exam Discussions & Posts