Our IAPP CIPP-E dumps are key to get success. More than 80000+ success stories.
Clients Passed IAPP CIPP-E Exam Today
Passing score in Real IAPP CIPP-E Exam
Questions were from our given CIPP-E dumps
Please use the following to answer the next question:Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, butfor the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, NorthernIreland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago whileon a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt,Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that itwould be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K.brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently falleninto disrepute due to widespread mistreatment of members at various branches of the club in several EUmember states. As a result, Javier no longer feels comfortable with his photograph being publicly associatedwith the fitness club.After numerous failed attempts to book an appointment with the manager of the local branch to discuss thismatter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and allpromotional materials. Months pass and Javier, having received no acknowledgment of his request, becomesvery anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, hedecides to take action against the company.Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) tolodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIThas an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of theGDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongstthe supervisory authorities to reach a decision, the European Data Protection Board becomes involved and,pursuant to the consistency mechanism, issues a binding decision.Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request tohave his photograph removed from the brochure and website.Assuming that multiple EVETFIT branches across several EU countries are acting as separate datacontrollers, and that each of those branches were responsible for mishandling Javier’s request, how may Javierproceed in order to seek compensation?
A. He will have to sue the EVETFIT’s head office in France, where EVETFIT has its main establishment.
B. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
C. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.
D. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.
Please use the following to answer the next question:Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The companyis headquartered in Montreal, and all of its employees are located there. The company offers its services toCanadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internettraffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declinesto process orders that request the DNA report to be sent outside of Canada, and returns orders that show anon-Canadian return address.Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company isexploring a number of plans to expand its customer base.The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadiancustomer base. The expansion will allow its Canadian customers to use the app while traveling abroad. Hesuggests that the company use this app to gather location information. If the plan shows promise, Bobproposes to use push notifications and text messages to encourage existing customers to pre-register for an EUversion of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough preregistrations, it will develop EU-specific content and services.Another plan is called Customer for Life. The idea is to offer additional services through the company’s app,like storage and sharing of DNA information with other applications and medical providers. The company’scontract says that it can keep customer DNA indefinitely, and use it to offer new services and market them tocustomers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketingdirector, suggests that the company should fully exploit these provisions, and that it can work aroundcustomers’ attempts to withdraw consent because the contract invalidates them.The final plan is to develop a brand presence in the EU. The company has already begun this process. It is inthe process of purchasing the naming rights for a building in Germany, which would come with a few officesthat Who-R-U executives can use while traveling internationally. The office doesn’t include any technology orinfrastructure; rather, it’s simply a room with a desk and some chairs.On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNAreports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customername, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of theGDPR?
A. Its plan would be in the context of the establishment of a controller in the Union.
B. It would be offering goods or services to data subjects in the Union.
C. It is engaging in commercial activities conducted in the Union.
D. It is monitoring the behavior of data subjects in the Union.
In which of the following cases, cited as an example by a WP29 guidance, would conducting a single dataprotection impact assessment to address multiple processing operations be allowed?
A. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.
B. A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.
C. A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
D. A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.
What type of data lies beyond the scope of the General Data Protection Regulation?
Read the following steps:Discover which employees are accessing cloud services and from which devices and apps Lock downthe data in those apps and devicesMonitor and analyze the apps and devices for complianceManage application life cyclesMonitor data sharingAn organization should perform these steps to do which of the following?
A. Pursue a GDPR-compliant Privacy by Design process.
B. Institute a GDPR-compliant employee monitoring process.
C. Maintain a secure Bring Your Own Device (BYOD) program.
D. Ensure cloud vendors are complying with internal data use policies.
Which of the following does NOT have to be included in the records most processors must maintain in relationto their data processing activities?
A. Name and contact details of each controller on behalf of which the processor is acting.
B. Categories of processing carried out on behalf of each controller for which the processor is acting.
C. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
D. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?
A. To encourage the consistency of local data processing activity.
B. To give corporations a choice about who their supervisory authority will be.
C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
D. To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.
A. T-Craze has a French affiliate.
B. The French affiliate procured the services of Right Target.
C. T-Craze conducts its marketing and sales activities in France.
D. The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.
What is the key difference between the European Council and the Council of the European Union?
A. The Council of the European Union is helmed by a president.
B. The Council of the European Union has a degree of legislative power.
C. The European Council focuses primarily on issues involving human rights.
D. The European Council is comprised of the heads of each EU member state.
Under what circumstances would the GDPR apply to personal data that exists in physical form, such asinformation contained in notebooks or hard copy files?
A. Only where the personal data is produced as a physical output of specific automated processingactivities, such as printing, labelling, or stamping.
B. Only where the personal data is to be subjected to specific computerized processing, such as imagescanning or optical character recognition.
C. Only where the personal data is treated by automated means in some way, such as computerizeddistribution or filing.
D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filingsystem.
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
A. The requirements affected individuals without exception.
B. The requirements were financially burdensome to EU businesses.
C. The requirements specified that data must be held within the EU.
D. The requirements had limitations on how national authorities could use dat
Which of the following is one of the supervisory authority’s investigative powers?
A. To notify the controller or the processor of an alleged infringement of the GDPR.
B. To require that controllers or processors adopt approved data protection certification mechanisms.
C. To determine whether a controller or processor has the right to a judicial remedy concerning acompensation decision made against them.
D. To require data controllers to provide them with written notification of all new processing activities.
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities inEuropean Union (EU) member states?
A. The ability to enact new laws by executive order.
B. The right to access data for investigative purposes.
C. The discretion to carry out goals of elected officials within the member state.
D. The authority to select penalties when a controller is found guilty in a court of law.