Home » Uncategorized » CIPPEJULY2024A

News/Events@HB

CIPPEJULY2024A

0%
3

You have X mins to complete this QUIZ! Wish you all the best!

Time is UP!


CIPPEJULY2024A

CIPPEJULY2024A

 

Please enter your full name, email address and location for certificate/score-generations! You will receive only if you score above 50%.

1 / 340

Category: CIPPEJULY2024A

1. Which of the following is the BEST approach for an organisation to take to be able to demonstrate fairness when processing personal data?

2 / 340

Category: CIPPEJULY2024A

2. The GDPR requires parent/guardian consent to process personal data of data subjects younger than what minimum age?

3 / 340

Category: CIPPEJULY2024A

3. Failure to provide fair information to daa subjects with regards to the processing of their personal data is LIKELY to?

4 / 340

Category: CIPPEJULY2024A

4. The European Commission has the power to determine whether a country outside of the EU provides an adequate level of data protection in accordance with the GDPR. Which one of the following countries has been deemed 'adequate'?

5 / 340

Category: CIPPEJULY2024A

5. Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

6 / 340

Category: CIPPEJULY2024A

6. A grocery store opened on a street that has had regular problems with thefts. Since the grocery store is new, they do not yet have the budget for a real surveillance system. Unstead, they install fake video surveillance cameras to stop potential thieves until they can afford a real surveillance system. The cameras are pointed only inside the store and there are no cameras facing the street.
Which GDPR lawful basis is the grocey store MOST LIKELY to have relied on for the placing of the cameras?

7 / 340

Category: CIPPEJULY2024A

7. Which of the following processing conditions would prohibit an organisation from retaining personal data collected for conducting a wbinar once the webinar has concluded and the processing purpose has expired?

8 / 340

Category: CIPPEJULY2024A

8. In which of the following situations must a data protection impact assessment (DPIA) be used?

9 / 340

Category: CIPPEJULY2024A

9. When a situation arises in which neither an adequacy decision nor appropriate safeguards are in place, the GDPR sets forth specific derogations to allow data transfers. Which of the following is a requirement to transfer data under the derogations?

10 / 340

Category: CIPPEJULY2024A

10. Which treaty was issued as a result of the enlargement of the European Community and the corresponding need to improve the efficiency and speed of decision-making processes?

11 / 340

Category: CIPPEJULY2024A

11. A U.S based pharmaceutical company, Pharma, receives pseudonymised patient information from clinical sites all over the world, including the EU, as part of a clinical trial. How must Pharma process the data?

12 / 340

Category: CIPPEJULY2024A

12. Which of the following is a legally binding instrument?

13 / 340

Category: CIPPEJULY2024A

13. Please use the following scenario to answer the next TWO questions.
Luca is the owner of a chain of Italian restaurants across Europe. The restaurant has been successful but beginning with the COVID pandemic customers have mainly ordered food to pick up and eat at home. Luca decided to create a mobile app that allows customers to order ahead and schedule pickup times to help alleviate wait times. This also allowed him tobuild analytics to better staff his restaurants in this new era of takeout.

Since Luca is now processing and storing customer data via his app, he needs to create internal privacy policies for employees to follow. Which guidelines should be included in the policy?

14 / 340

Category: CIPPEJULY2024A

14. Please use the following scenario to answer the next TWO questions.
Luca is the owner of a chain of Italian restaurants across Europe. The restaurant has been successful but beginning with the COVID pandemic customers have mainly ordered food to pick up and eat at home. Luca decided to create a mobile app that allows customers to order ahead and schedule pickup times to help alleviate wait times. This also allowed him tobuild analytics to better staff his restaurants in this new era of takeout.

To comply with the obligations under Article 25 (data protection by design and by default), what should Luca consider when reviewing and assessing the processing and storage of personal data gathered by this app?

15 / 340

Category: CIPPEJULY2024A

15. An employee of company XYZhas just noticed a memory stick containing records of client data, including their names, addresses and full contact details, has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee.
What should the company do?

16 / 340

Category: CIPPEJULY2024A

16. A company is under investigation by multiple regulators in different countries' jurisdictions for not complying with GDPR fair notice requirements. Which is TRUE of the fines that may be assessed against the company?

17 / 340

Category: CIPPEJULY2024A

17. A data subject wants to lodge a complaint against a controller about the processing of their data. Which of the following is NOT a true statement?

18 / 340

Category: CIPPEJULY2024A

18. Under the ePrivacy Directive, when a company decides to send direct email marketing, which of the following legal bases may it generally rely on?

19 / 340

Category: CIPPEJULY2024A

19. Which statement about automated decision-making under Article 22 of the GDPR is TRUE?

20 / 340

Category: CIPPEJULY2024A

20. Under the GDPR, which of the following is TRUE about data subjects' options to exercise their rights in cases of noncompliance?

21 / 340

Category: CIPPEJULY2024A

21. A data subject makes a subject access request (SAR) to an online retail company for their personal data. The data subject states that they are making a SAR in accordance with the GDPR; however, if the company credits the data subject's online account with a specified sum of money, the data subject will withdraw their request. The compnay has not had any previous access requests by other individuals.
Which of the following would be legitimate grounds for the company to refuse to comply with the access request?

22 / 340

Category: CIPPEJULY2024A

22. In what stages of the project life cycle should data protection by design (also known as privacy by design) be applied?

23 / 340

Category: CIPPEJULY2024A

23. Which instrument could be used, or which treaty could be joined, by a non-European country that wanted to demonstrate an international commitment to implement data protection legistlation and to provide protection of individuals with regard to automatic processing of personal data?

24 / 340

Category: CIPPEJULY2024A

24. An unforeseen power outage results in Company Z's lack of access to customer data for six hours, which is considered a breach under Article 32 of the GDPR. Based on the WP29's February 2018 'Guidelines on Personal data breach notification' (later adopted by the EDPB), Company Z should do which of the folloing?

25 / 340

Category: CIPPEJULY2024A

25. Please use the following scenario to answer the next THREE questions.
Excited to go on holiday, Isabelle took a trip to Amsterdam and wnet on a series of canal tours promoted by Novatours, a new Amsterdam-based company. She downloaded the Novatours app on her smartphone, accepted the privacy conditions, and connected her credit card for ease of payment. Upon return to her residence i France, she received frequent flyers from Novatours and third-party venfors. The number of flyers and vendors involved increased over time, including not only tourist activites, but also hotels, restuarants, car rentals, museum events, etc. All flyers mentioned a partnershipwth Novatours.
A few weeks later, she moved to a new apartment. She tried to contact Novatours but she could not get past the automated telephone system or the 'no-reply' general email on their website. Isabelle concluded there was no way to contact them other that through an affiliated tourist office where she first learned about the company.

Novatours received several similar complaints resulting in the suspension of their licence to operate. When Novatours lawyer filed a complaint against the supervisory authorities, they were informed that Novatours, as a contoller, was legally required to do which of the following/

26 / 340

Category: CIPPEJULY2024A

26. Please use the following scenario to answer the next THREE questions.
Excited to go on holiday, Isabelle took a trip to Amsterdam and wnet on a series of canal tours promoted by Novatours, a new Amsterdam-based company. She downloaded the Novatours app on her smartphone, accepted the privacy conditions, and connected her credit card for ease of payment. Upon return to her residence i France, she received frequent flyers from Novatours and third-party venfors. The number of flyers and vendors involved increased over time, including not only tourist activites, but also hotels, restuarants, car rentals, museum events, etc. All flyers mentioned a partnershipwth Novatours.
A few weeks later, she moved to a new apartment. She tried to contact Novatours but she could not get past the automated telephone system or the 'no-reply' general email on their website. Isabelle concluded there was no way to contact them other that through an affiliated tourist office where she first learned about the company.

Finally, Isabelle received a response from Novatours about how she can delete her personal data from their records. She authnticated her identity via email and followed the instructions provided by Novatours to delete her data. But a few weeks later, she received text messages about new offers encouraging her to respond quickly before discounts expire. Isabelle suspects Novatours is still processing her personal data and wonders if this is allowed.
Which of the following is correct?

27 / 340

Category: CIPPEJULY2024A

27. Please use the following scenario to answer the next THREE questions.
Excited to go on holiday, Isabelle took a trip to Amsterdam and wnet on a series of canal tours promoted by Novatours, a new Amsterdam-based company. She downloaded the Novatours app on her smartphone, accepted the privacy conditions, and connected her credit card for ease of payment. Upon return to her residence i France, she received frequent flyers from Novatours and third-party venfors. The number of flyers and vendors involved increased over time, including not only tourist activites, but also hotels, restuarants, car rentals, museum events, etc. All flyers mentioned a partnershipwth Novatours.
A few weeks later, she moved to a new apartment. She tried to contact Novatours but she could not get past the automated telephone system or the 'no-reply' general email on their website. Isabelle concluded there was no way to contact them other that through an affiliated tourist office where she first learned about the company.

Isabelle wants to update her address and limit the sharing of her personal data. What should she do?

28 / 340

Category: CIPPEJULY2024A

28. What is a 'layered fair processing notice'?

29 / 340

Category: CIPPEJULY2024A

29. If a multi-national company wanted to ocnduct background checks on all current and potential European-based employees, what key provision would the company have to follow?

30 / 340

Category: CIPPEJULY2024A

30. Which treaty reated the Eurpoean Union?

31 / 340

Category: CIPPEJULY2024A

31. When is a data sharing agreement MOST LIKELY to be needed?

32 / 340

Category: CIPPEJULY2024A

32. What should an organisation consider when determining appropriate periods for retaining personal data?

33 / 340

Category: CIPPEJULY2024A

33. What is the core concept underpinning the GDPR accountability requirement?

34 / 340

Category: CIPPEJULY2024A

34. You accidently send an email that contains a small amount of personal data, and no sensitive data, concerning 25 individuals from the EU to the wrong email address. You immediately request the recipient delete the email and the recipient confirms they have done so. After reporting what has happened to your DPO, you take some refresher privacy training for good measure.
Under the GDPR, why is it unlikely that your company would be fined as a result of this data breach?

35 / 340

Category: CIPPEJULY2024A

35. Which of the following is NOT a common service model of cloud computing?

36 / 340

Category: CIPPEJULY2024A

36. A company is hesitating between binding corporate rules and standard contractual clauses as a global data transfer solution. Which of the following statements would help the compnay make an effective decision?

37 / 340

Category: CIPPEJULY2024A

37. Please use the following scenario to answer the next THREE questions.
Museum4your Senses is a new museum with an exceptionally modern feel and is gaining a lot of traction on PluckPlack, a popular social media app. To promote their multi-location launch, founders aim to go viral with captivating avatar-enhanced videos on PluckPlck.
The museum's unique pitch is a chance for the first 100 visitors of the day to test out new virtual reality headsets for free. Visitors first step into a rainbow-colored wiating room where they receive instructions to speak their name and introduce the character they wish to become for hte day. When visitors get their photo taken for their badge, they are instructed to look directly at the camera and make a funny face.
A month before the museum opened in Brussels, a private reception was held. The organisers gave visitors forms that included a box to acknowledge having read the museum's privacy notice and a consent form to sign about the images andvoice recordings that would be required for entry. The consent form stated the personal data would be deleted 24 hours after the initial visit. After the Brussels launch, some of the visitors noticed the museum had posted promotional videos on PluckPlack that used the visitors introductory voice recordings. The consent forms did not mention that the audio recordings would be combined with new avatars fo the museum's reuse.

A local elementary school teacher was one of the first visitors to Museum4yourSenses and was inspired to launch some educational materials after the visit. However, the teacher was alarmed to learn that a number of children with special needs had their intorductory videos selected to promote a diversity and inclusion angle in the promotional materials. What would be her BEST option to protect children's rights?

38 / 340

Category: CIPPEJULY2024A

38. Please use the following scenario to answer the next THREE questions.
Museum4your Senses is a new museum with an exceptionally modern feel and is gaining a lot of traction on PluckPlack, a popular social media app. To promote their multi-location launch, founders aim to go viral with captivating avatar-enhanced videos on PluckPlck.
The museum's unique pitch is a chance for the first 100 visitors of the day to test out new virtual reality headsets for free. Visitors first step into a rainbow-colored wiating room where they receive instructions to speak their name and introduce the character they wish to become for hte day. When visitors get their photo taken for their badge, they are instructed to look directly at the camera and make a funny face.
A month before the museum opened in Brussels, a private reception was held. The organisers gave visitors forms that included a box to acknowledge having read the museum's privacy notice and a consent form to sign about the images andvoice recordings that would be required for entry. The consent form stated the personal data would be deleted 24 hours after the initial visit. After the Brussels launch, some of the visitors noticed the museum had posted promotional videos on PluckPlack that used the visitors introductory voice recordings. The consent forms did not mention that the audio recordings would be combined with new avatars fo the museum's reuse.

Bubbaloo Clown Company downloaded the PluckPlack videos promoting the museum and used the expressions to make new clown masks. It named the masks according to the visitor's introductions. When former visitors becmae aware of these masks, they lodged a series of complaints with the supervisory authorities. Museum4yourSenses deflected any responsibility, stating it was their audio-visual vendor handling the audio recordings fo the visitors.
Which statement about responsibility for the misuse of the visitors personal data is correct?

39 / 340

Category: CIPPEJULY2024A

39. Please use the following scenario to answer the next THREE questions.
Museum4your Senses is a new museum with an exceptionally modern feel and is gaining a lot of traction on PluckPlack, a popular social media app. To promote their multi-location launch, founders aim to go viral with captivating avatar-enhanced videos on PluckPlck.
The museum's unique pitch is a chance for the first 100 visitors of the day to test out new virtual reality headsets for free. Visitors first step into a rainbow-colored wiating room where they receive instructions to speak their name and introduce the character they wish to become for hte day. When visitors get their photo taken for their badge, they are instructed to look directly at the camera and make a funny face.
A month before the museum opened in Brussels, a private reception was held. The organisers gave visitors forms that included a box to acknowledge having read the museum's privacy notice and a consent form to sign about the images andvoice recordings that would be required for entry. The consent form stated the personal data would be deleted 24 hours after the initial visit. After the Brussels launch, some of the visitors noticed the museum had posted promotional videos on PluckPlack that used the visitors introductory voice recordings. The consent forms did not mention that the audio recordings would be combined with new avatars fo the museum's reuse.

After visiting the Museum4your Senses, what would visitors be entitled to request regarding their personal data?

40 / 340

Category: CIPPEJULY2024A

40. Under which of the following conditions is a controller in EU likely to be exempt fromhaving to inform data subjects of the processing of their personal data under Articles 13 and 14 of the GDPR?

41 / 340

Category: CIPPEJULY2024A

41. Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject unless the controller can demonstrate compelling legitimate grounds that override the interests of the individual. Uin the 'Guidelines on Automated individual decision-making and Profiling', the European Data Protection Board (EDPB) says the controller needs to do all of the following to demostrate it has such legitimate grounds EXCEPT?

42 / 340

Category: CIPPEJULY2024A

42. A bakery placed a video surveillance camera in the employee break room. The camera is pointed in a manner so that it only records the portion of the wall that holds the employee timeclock. The employer setup the camera after some employees were caught clocking in for other employees who were running late to work. The employer reviews the footage weekly and then deletes the footage. A sign is posted next to the timeclock informing employees about the recording.
If the employees exercise their right to object, what will the employer need to do to continue the video monitoring?

43 / 340

Category: CIPPEJULY2024A

43. A Brazilian citizen is visiting Paris, France on a one-year work visa. During their time in France, they join a local health and fitness club. The registration orm for the health club requests their full name, permanent home address, bank account information for withdrawal of membership fees, and their race or ethnic origin for statistical purposes.
Which information requested is considered a special category of personal data under Article 9 of the GDPR?

44 / 340

Category: CIPPEJULY2024A

44. Which of the following is TRUE with regard to the provisions of the ePrivacy Directive?

45 / 340

Category: CIPPEJULY2024A

45. Your company's chief information security officer is performing an annual review of its 'bring your own device' (BYOD) program for its European subsidiary. She has asked you to validate that the technical team's process document is compliant with GDPR. Which step would RESULTIN NON-COMPLIANCE with the GDPR?

46 / 340

Category: CIPPEJULY2024A

46. What is the main reason GDPR Article 4(22) establishes the concept of the 'supervisory authority concerned'?

47 / 340

Category: CIPPEJULY2024A

47. A company based in Spain is expanding its business to serve customers in other EU member states. The company increases its advertising budget and serves advertisements to market its product to consumers in France, Germany and the Netherlands. Consumers from all three countries use the company website to purchase products and have the products shipped to their homes. The privacy notice of the Spanish company provides data subjects with all the required information; however, the policy is only available in Spanish. Which GDPR principle is the company MOST LIKELY to be in breach of?

48 / 340

Category: CIPPEJULY2024A

48. Which EU entry has the authority to invalidate adequacy determinations made by the European Commission?

49 / 340

Category: CIPPEJULY2024A

49. A United States based online company uses software to track the browsing behaviour and predict future purchases of its European customers. It also shares this information with third parties. Under the GDPR, what is the online company's primary obligation before engaging in this kind of profiling?

50 / 340

Category: CIPPEJULY2024A

50. Under the ePrivacy Directive, when obtaining consent from individuals to process their location data, controllers must present individuals with each of the following EXCEPT:

51 / 340

Category: CIPPEJULY2024A

51. Please use the following scenario to answer the next TWO questions.
The U.S based ABC Company is setting up a processing facility in Ireland. The Company is a back-office data processor for EU health insurance companies. ABC Company's first client is Ireland HealthU Insurance, which provides health insurance for all college students in Ireland. The student health insurance applications include name, date of birth, and previous and existing medical treatments and conditions. The volume of data processing is unknown, but it is expected to be between 50,000-100000 applications per month. Even though there are large volumes of applications, the number of employees of ABC Company remains fewer that 100.

In the above scenario, ABC Company appointed a DPO to comply with the GDPR. Why is ABC Company required to do so?

52 / 340

Category: CIPPEJULY2024A

52. Please use the following scenario to answer the next TWO questions.
The U.S based ABC Company is setting up a processing facility in Ireland. The Company is a back-office data processor for EU health insurance companies. ABC Company's first client is Ireland HealthU Insurance, which provides health insurance for all college students in Ireland. The student health insurance applications include name, date of birth, and previous and existing medical treatments and conditions. The volume of data processing is unknown, but it is expected to be between 50,000-100000 applications per month. Even though there are large volumes of applications, the number of employees of ABC Company remains fewer that 100.

Does the record-keeping requirement of the GDPR apply to this company?

53 / 340

Category: CIPPEJULY2024A

53. A restaurant has a website through which customers order food to be delivered to their home. The restaurant sends the consumer's personal data and order information to a third-party delivery company for the purpose of delivering the food and accepting payment. After the order is complete, the delivery company pseudonymises the customer information to be used to improve the delivery company's estimated delivery time algorithm. The delivery company is not using the pseudonymised customer data for their algorithm on the restaurant's behalf.
Under the GDPR, what role best describes the delivery company with respect to the processing of data used for the algorithm?

54 / 340

Category: CIPPEJULY2024A

54. A data controller must notify a data subject about a personal data breach likely to result in a high risk to the data subject's fundamental rights and freedoms in each of the following situations EXCEPT?

55 / 340

Category: CIPPEJULY2024A

55. A key component of the OECD Guidelines in the 'individual participation principle'. What parts of the GDPR provide the closest equivalent tot hat principle?

56 / 340

Category: CIPPEJULY2024A

56. Each of the following are means controllers must use to meet fair processing information guidelines EXCEPT?

57 / 340

Category: CIPPEJULY2024A

57. A shopping mall uses video surveillance cameras, which include facial recognition technology, at the entrance. This technology allows the mall to detect and remove individuals who were previously banned from the property.
Which GDPR condition for processing would the shopping mall need to rely on for the processing of the video footage and facial recognition data?

58 / 340

Category: CIPPEJULY2024A

58. Under the GDPR, who would be least likely to e allowed to engage in the collection, use and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

59 / 340

Category: CIPPEJULY2024A

59. Before deciding to encrypt personal data, an organisation is required to assess the risks of the processing activity. What should an organisation take into consideration during the assessment?

60 / 340

Category: CIPPEJULY2024A

60. A convenience store in Brussels is having trouble with individuals spray painting graffiti on the front windows and entrance when the store is closed. As security measure, they have installed video surveillance outside of their entrance. The camera records activity near the door and along the sidewalks in front of the store. Video footage is stored for one month and then deleted if not needed. Footage of a passer-by was captured while he was on the sidewalk and did not show evidence of vandalism by him. He asks to have his personal data erased immediately.
What must the store do to comply with the GDPR?

61 / 340

Category: CIPPEJULY2024A

61. How has the GDPR's position on consent most likely affected app design and implementation?

62 / 340

Category: CIPPEJULY2024A

62. Please use the following scenario to answer the next FOUR questions.
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhance play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

Considering the requirements of Article 32 of the GDPR (related to the security of processing), which practice should the company institute?

63 / 340

Category: CIPPEJULY2024A

63. Please use the following scenario to answer the next FOUR questions.
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhance play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

What presents the biggest potential privacy issue with the company's practices?

64 / 340

Category: CIPPEJULY2024A

64. Please use the following scenario to answer the next FOUR questions.
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhance play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

To ensure GDPR compliance, what should be the company's position on the issue of consent?

65 / 340

Category: CIPPEJULY2024A

65. Please use the following scenario to answer the next FOUR questions.
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong, and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is from international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhance play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers making it appear as though the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data centre located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a near-field communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.

Why is this company obligated to comply with the GDPR?

66 / 340

Category: CIPPEJULY2024A

66. Each of the following should be considered when assessing which security measures would be most appropriate for an organisation EXCEPT?

67 / 340

Category: CIPPEJULY2024A

67. According to the GDPR, how is pseudonymous personal data defined?

68 / 340

Category: CIPPEJULY2024A

68. Pursuant to Article 32(1) of the GDPR, which is a technical and organisational measure to ensure a level of security appropriate to the assessed risks?

69 / 340

Category: CIPPEJULY2024A

69. Under the GDPR, which of the following statues is TRUE regarding a data subject's right to opt out of direct marketing?

70 / 340

Category: CIPPEJULY2024A

70. When determining whether to impose an administrative fine and its amount, a supervisory authority takes into account the intentional or negligent character of the infringement. Which of the following is another criterion that would have a bearing on the amount of the fine?

71 / 340

Category: CIPPEJULY2024A

71. Which of the following is NOT one of the seven EU-U.S and Swiss-U.S Privacy Shield Principles?

72 / 340

Category: CIPPEJULY2024A

72. An organisation wants to use a digital identity verification app to authenticate the identities of new customers. Customers will be asked to upload a photo ID document such as passport, driving licence or national ID and then asked to upload a picture of their face in the app. The ID document's authenticity is checked, and biometrics are used to ensure the ID document belongs to the customer.
What step should the organisation take to ensure the data minimisation principle is implemented when collecting the personal data?

73 / 340

Category: CIPPEJULY2024A

73. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) had in common but largely failed to achieve in Europe?

74 / 340

Category: CIPPEJULY2024A

74. Under Article 17(1) (right to erasure or 'right to be forgotten'), what is a controller required to do when they receive a proper request for erasure from a data subject?

75 / 340

Category: CIPPEJULY2024A

75. Which of the following would most likely NOT be covered by the definition of 'personal data' under the GDPR?

76 / 340

Category: CIPPEJULY2024A

76. Please use the following scenario to answer the next THREE questions.
Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phising attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees computers.
Since these measures would potentially impact employees, Building Block's privacy office decided to issues a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees computer activity and their location. During these activities, the information security team discovered that on employee from Italy was connecting daily to a video library of movies and another form Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company's computers and from working remotely without authorisation.

In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

77 / 340

Category: CIPPEJULY2024A

77. Please use the following scenario to answer the next THREE questions.
Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phising attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees computers.
Since these measures would potentially impact employees, Building Block's privacy office decided to issues a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees computer activity and their location. During these activities, the information security team discovered that on employee from Italy was connecting daily to a video library of movies and another form Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company's computers and from working remotely without authorisation.

What would be the most appropriate way for Building Block to handle the situation with the employee from Italy?

78 / 340

Category: CIPPEJULY2024A

78. Please use the following scenario to answer the next THREE questions.
Building Block Inc. is a multinational company headquartered in Chicago with offices throughout the United States, Asia and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phising attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their privacy office and the information security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit and use of a new software tool called SecurityScan, which scans employees computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees computers.
Since these measures would potentially impact employees, Building Block's privacy office decided to issues a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the security team on how to use SecurityScan to monitor employees computer activity and their location. During these activities, the information security team discovered that on employee from Italy was connecting daily to a video library of movies and another form Germany worked remotely without authorisation. The security team reported these incidents to the privacy office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees since the security and privacy policy of the company prohibited employees from installing software on the company's computers and from working remotely without authorisation.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

79 / 340

Category: CIPPEJULY2024A

79. Much of the GDPR builds upon the Data Protection Directive. Which of the following data subject rights is the only right that did NOT exist in some form in the Directive?

80 / 340

Category: CIPPEJULY2024A

80. Administrative fines imposed under GDPR Article 83 must be?

81 / 340

Category: CIPPEJULY2024A

81. A high-security bank requires members to use fingerprint identification to access specific vaults. The bank retains those records to determine who obtained access and when. The bank must determine the lawful basis for processing under the GDPR. Which lawful basis would most likely apply to this type of processing activity?

82 / 340

Category: CIPPEJULY2024A

82. Which of the following is NOT amongst the rights and freedoms that must be considered when balancing privacy rights under the GDPR?

83 / 340

Category: CIPPEJULY2024A

83. Each of the following is a valid transfer mechanism data controllers may rely upon to legally transfer EU personal data outside of the EU EXCEPT?

84 / 340

Category: CIPPEJULY2024A

84. Which of the following would most likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

85 / 340

Category: CIPPEJULY2024A

85. According to GDPR Article 56,what is a lead supervisory authority's (LSA) main concern?

86 / 340

Category: CIPPEJULY2024A

86. What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

87 / 340

Category: CIPPEJULY2024A

87. A full and valid set of binding corporate rules (BCRs) must include specific elements. Which of the following is NOT one of the required elements?

88 / 340

Category: CIPPEJULY2024A

88. Under the GDPR, when processing an individual's personal data in the context of direct marketing activities, data controllers must do which of the following/

89 / 340

Category: CIPPEJULY2024A

89. A breach of security leading to the accidental destruction or loss of personal data triggers notification obligations. According to Article 33(2) of the GDPR, how soon must the data processor notify the data controller about such breach of security?

90 / 340

Category: CIPPEJULY2024A

90. How does the GDPR define 'Processing'?

91 / 340

Category: CIPPEJULY2024A

91. SCENARIO. Please use the following to answer the next question: Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU). People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations. The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform. The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

92 / 340

Category: CIPPEJULY2024A

92. SCENARIO. Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience. When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this. In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact. What presents the BIGGEST potential privacy issue with the company’s practices?

93 / 340

Category: CIPPEJULY2024A

93. If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?

94 / 340

Category: CIPPEJULY2024A

94. What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

95 / 340

Category: CIPPEJULY2024A

95. . Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

96 / 340

Category: CIPPEJULY2024A

96. . There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

97 / 340

Category: CIPPEJULY2024A

97. Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?

98 / 340

Category: CIPPEJULY2024A

98. SCENARIO. Please use the following to answer the next question: Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients. Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary. What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U’s forms?

99 / 340

Category: CIPPEJULY2024A

99. ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?

100 / 340

Category: CIPPEJULY2024A

100. Which of the following would require designating a data protection officer?

101 / 340

Category: CIPPEJULY2024A

101. Read the following steps: Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles. Monitor data sharing. An organization should perform these steps to do which of the following?

102 / 340

Category: CIPPEJULY2024A

102. . A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

103 / 340

Category: CIPPEJULY2024A

103. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) had in common but largely failed to achieve in Europe?

104 / 340

Category: CIPPEJULY2024A

104. SCENARIO. Please use the following to answer the next question: Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers. Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches. After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization. In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

105 / 340

Category: CIPPEJULY2024A

105. . Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b), what is the impact of a member state’s interpretation of the word “incompatible”?

106 / 340

Category: CIPPEJULY2024A

106. . Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

107 / 340

Category: CIPPEJULY2024A

107. . Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

108 / 340

Category: CIPPEJULY2024A

108. . Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

109 / 340

Category: CIPPEJULY2024A

109. . Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment. Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?

110 / 340

Category: CIPPEJULY2024A

110. SCENARIO. Please use the following to answer the next question: TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business. During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services. Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered. After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?

111 / 340

Category: CIPPEJULY2024A

111. . Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

112 / 340

Category: CIPPEJULY2024A

112. SCENARIO. Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address. Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base. The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services. Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them. The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs. On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information. The Customer for Life plan may conflict with which GDPR provision?

113 / 340

Category: CIPPEJULY2024A

113. . According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?

114 / 340

Category: CIPPEJULY2024A

114. : With the issue of consent, the GDPR allows member states some choice regarding what?

115 / 340

Category: CIPPEJULY2024A

115. According to the GDPR. Article 4(14). biometric data is defined as: "Personal data resulting from specific technical processing relating to the characteristics of a natural person"

116 / 340

Category: CIPPEJULY2024A

116. . A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

117 / 340

Category: CIPPEJULY2024A

117. Which of the following entities would most likely be exempt from complying with the GDPR?

118 / 340

Category: CIPPEJULY2024A

118. . According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?

119 / 340

Category: CIPPEJULY2024A

119. . With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

120 / 340

Category: CIPPEJULY2024A

120. In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

121 / 340

Category: CIPPEJULY2024A

121. . What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?

122 / 340

Category: CIPPEJULY2024A

122. What obligation does a data controller or processor have after appointing a data protection officer?

123 / 340

Category: CIPPEJULY2024A

123. . Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which occurs when companies do what?

124 / 340

Category: CIPPEJULY2024A

124. An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?

125 / 340

Category: CIPPEJULY2024A

125. According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?

126 / 340

Category: CIPPEJULY2024A

126. Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

127 / 340

Category: CIPPEJULY2024A

127. . Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

128 / 340

Category: CIPPEJULY2024A

128. . In relation to third countries and international organizations, which of the following shall, along with the supervisory authorities, take appropriate steps to develop international cooperation mechanisms for the enforcement of data protection legislation?

129 / 340

Category: CIPPEJULY2024A

129. SCENARIO. Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated. Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

130 / 340

Category: CIPPEJULY2024A

130. SCENARIO. Please use the following to answer the next question: TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business. During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit. Consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services. Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered. With regard to TripBliss Inc.’s use of website cookies, which of the following statements is correct?

131 / 340

Category: CIPPEJULY2024A

131. . In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

132 / 340

Category: CIPPEJULY2024A

132. . Articles 13 and 14 of the GDPR provide details on the obligation of data controllers to inform data subjects when collecting personal data. However, both articles specify an exemption for situations in which the data subject already has the information. Which other situation would also exempt the data controller from this obligation under Article 14?

133 / 340

Category: CIPPEJULY2024A

133. SCENARIO. Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?

134 / 340

Category: CIPPEJULY2024A

134. Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?

135 / 340

Category: CIPPEJULY2024A

135. An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?

136 / 340

Category: CIPPEJULY2024A

136. Which of the following would most likely NOT be covered by the definition of “personal data” under the GDPR ?

137 / 340

Category: CIPPEJULY2024A

137. What must a data controller do in order to make personal data pseudonymous?

138 / 340

Category: CIPPEJULY2024A

138. WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

139 / 340

Category: CIPPEJULY2024A

139. Higher fines are assessed for GDPR violations due to which of the following?

140 / 340

Category: CIPPEJULY2024A

140. A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

141 / 340

Category: CIPPEJULY2024A

141. Please use the following to answer the next question: WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following: “WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.” “We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.” “We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.” What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

142 / 340

Category: CIPPEJULY2024A

142. . Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

143 / 340

Category: CIPPEJULY2024A

143. . The European Parliament jointly exercises legislative and budgetary functions with which of the following?

144 / 340

Category: CIPPEJULY2024A

144. SCENARIO. Please use the following to answer the next question: Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club. After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company. Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision. Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website. Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

145 / 340

Category: CIPPEJULY2024A

145. Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

146 / 340

Category: CIPPEJULY2024A

146. An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

147 / 340

Category: CIPPEJULY2024A

147. What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

148 / 340

Category: CIPPEJULY2024A

148. Two companies, Gellcoat and Freifish, make plans to launch a co-branded product the prototype of which is called Gellifish 9090. The companies want to organize an event to introduce the new product, so they decide to share data from their client databases and come up with a list of people to invite. They agree on the content of the invitations and together build an app to gather feedback at the event.

149 / 340

Category: CIPPEJULY2024A

149. . A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country's laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use All of the following factors would be relevant for the company to consider EXCEPT'?

150 / 340

Category: CIPPEJULY2024A

150. . Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:

Name Address Date of Birth
Payroll number
National Insurance number
Sick pay entitlement Maternity/paternity pay entitlement Holiday entitlement
Pension and benefits contributions Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required. Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract. Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes. Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees. The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

151 / 340

Category: CIPPEJULY2024A

151. Which of the following regulates the use of electronic communications services within the European Union?

152 / 340

Category: CIPPEJULY2024A

152. . When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

153 / 340

Category: CIPPEJULY2024A

153. SCENARIO. Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens. Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms. What is the nature of BHealthy and Natural Insight’s relationship?

154 / 340

Category: CIPPEJULY2024A

154. SCENARIO. Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

155 / 340

Category: CIPPEJULY2024A

155. . Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

156 / 340

Category: CIPPEJULY2024A

156. . After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company notify first under GDPR requirements?

157 / 340

Category: CIPPEJULY2024A

157. SCENARIO. Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department. Registration Form. Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property. We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page. Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily’s consent provision?

158 / 340

Category: CIPPEJULY2024A

158. SCENARIO. Please use the following to answer the next question: Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients. Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary. What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

159 / 340

Category: CIPPEJULY2024A

159. SCENARIO. Please use the following to answer the next question: Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information. Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files). Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers. Under their security policy, the University encrypts all of its personal data records in transit and at rest. In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time. One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database. Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research. Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time. Which of the University’s records does Anna NOT have to include in her record of processing activities?

160 / 340

Category: CIPPEJULY2024A

160. SCENARIO. Please use the following to answer the next question: TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business. During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services. Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered. If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

161 / 340

Category: CIPPEJULY2024A

161. When would a data subject NOT be able to exercise the right to portability?

162 / 340

Category: CIPPEJULY2024A

162. Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

163 / 340

Category: CIPPEJULY2024A

163. SCENARIO Please use the following to answer the next question: Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training. After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access. How should the company respond to Jack's request to be forgotten?

164 / 340

Category: CIPPEJULY2024A

164. What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

165 / 340

Category: CIPPEJULY2024A

165. An employee of company ABCD has just noticed a memory stick containing records of client data, including an employee. What should the company do?

166 / 340

Category: CIPPEJULY2024A

166. Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

167 / 340

Category: CIPPEJULY2024A

167. In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

168 / 340

Category: CIPPEJULY2024A

168. According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?

169 / 340

Category: CIPPEJULY2024A

169. What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?

170 / 340

Category: CIPPEJULY2024A

170. How does the GDPR now define “processing”?

171 / 340

Category: CIPPEJULY2024A

171. Which statement provides an accurate description of a directive?

172 / 340

Category: CIPPEJULY2024A

172. What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

173 / 340

Category: CIPPEJULY2024A

173. SCENARIO. Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address. Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base. The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services. Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them. The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs. On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information. If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?

174 / 340

Category: CIPPEJULY2024A

174. Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

175 / 340

Category: CIPPEJULY2024A

175. SCENARIO. Please use the following to answer the next question: Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU). People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations. The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform. The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

176 / 340

Category: CIPPEJULY2024A

176. SCENARIO. Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies. T-Craze also opened various office locations throughout Europe to help expand its business. While Germany Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success. The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze. What is the best option for the lead regulator when responding to the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint?

177 / 340

Category: CIPPEJULY2024A

177. Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

178 / 340

Category: CIPPEJULY2024A

178. A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

179 / 340

Category: CIPPEJULY2024A

179. What type of data lies beyond the scope of the General Data Protection Regulation?

180 / 340

Category: CIPPEJULY2024A

180. . A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper’s website. Unfortunately, the prank is the top search result when a user searches on the victim’s name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

181 / 340

Category: CIPPEJULY2024A

181. . Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals. Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

182 / 340

Category: CIPPEJULY2024A

182. . In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

183 / 340

Category: CIPPEJULY2024A

183. . As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

184 / 340

Category: CIPPEJULY2024A

184. . As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

185 / 340

Category: CIPPEJULY2024A

185. . The European Data Protection Board (EDPB) recommends measures to supplement transfer tools, in order to ensure compliance with the European Union (EU) level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based upon an adequacy decision?

186 / 340

Category: CIPPEJULY2024A

186. . If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?

187 / 340

Category: CIPPEJULY2024A

187. SCENARIO. Please use the following to answer the next question: Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers. In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme. Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities. What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

188 / 340

Category: CIPPEJULY2024A

188. SCENARIO. Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens. Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms. Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?

189 / 340

Category: CIPPEJULY2024A

189. . Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

190 / 340

Category: CIPPEJULY2024A

190. . What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?

191 / 340

Category: CIPPEJULY2024A

191. SCENARIO. Please use the following to answer the next question: Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information. Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files). Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers. Under their security policy, the University encrypts all of its personal data records in transit and at rest. In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time. One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database. Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research. Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time. Before Anna determines whether Frank’s performance database is permissible, what additional information does she need?

192 / 340

Category: CIPPEJULY2024A

192. SCENARIO. Please use the following to answer the next question: WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following: “WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.” “We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.” “We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.” What additional information must Wonderkids provide in their Privacy Statement?

193 / 340

Category: CIPPEJULY2024A

193. Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

194 / 340

Category: CIPPEJULY2024A

194. SCENARIO. Please use the following to answer the next question: Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club. After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company. Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision. Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website. Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier’s request, how may Javier proceed in order to seek compensation?

195 / 340

Category: CIPPEJULY2024A

195. SCENARIO. Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage. Why is the additional measure recommended by Jackie sufficient foe using UpFinance?

196 / 340

Category: CIPPEJULY2024A

196. . A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars. Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?

197 / 340

Category: CIPPEJULY2024A

197. SCENARIO. Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts. Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations. Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information. Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company. JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?

198 / 340

Category: CIPPEJULY2024A

198. SCENARIO. Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans. May be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated. Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

199 / 340

Category: CIPPEJULY2024A

199. When may browser settings be relied upon for the lawful application of cookies?

200 / 340

Category: CIPPEJULY2024A

200. Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information. Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files). Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers. Under their security policy, the University encrypts all of its personal data records in transit and at rest. In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time. One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database. Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research. Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University, he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time. Anna will find that a risk analysis is NOT necessary in this situation as long as?

201 / 340

Category: CIPPEJULY2024A

201. Which of the following is an accurate statement regarding the "one-stop-shop" mechanism of the GDPR?

202 / 340

Category: CIPPEJULY2024A

202. A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?

203 / 340

Category: CIPPEJULY2024A

203. What should a controller do after a data subject opts out of a direct marketing activity?

204 / 340

Category: CIPPEJULY2024A

204. When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

205 / 340

Category: CIPPEJULY2024A

205. . For which of the following operations would an employer most likely be justified in requesting the data subject’s consent?

206 / 340

Category: CIPPEJULY2024A

206. SCENARIO. Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?

207 / 340

Category: CIPPEJULY2024A

207. Why is advisable to avoid consent as a legal basis for an employer to process employee data?

208 / 340

Category: CIPPEJULY2024A

208. SCENARIO. Please use the following to answer the next question: Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers. In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme. Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities. What must Zandelay provide to the supervisory authority during the prior consultation?

209 / 340

Category: CIPPEJULY2024A

209. . Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

210 / 340

Category: CIPPEJULY2024A

210. . The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

211 / 340

Category: CIPPEJULY2024A

211. . Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

212 / 340

Category: CIPPEJULY2024A

212. According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

213 / 340

Category: CIPPEJULY2024A

213. . Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

214 / 340

Category: CIPPEJULY2024A

214. The Planet 49 CJEU Judgement applies to?

215 / 340

Category: CIPPEJULY2024A

215. SCENARIO. Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience. When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this. In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact. Why is this company obligated to comply with the GDPR?

216 / 340

Category: CIPPEJULY2024A

216. Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

217 / 340

Category: CIPPEJULY2024A

217. SCENARIO. Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies. T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success. The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze. Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia’s complaint?

218 / 340

Category: CIPPEJULY2024A

218. SCENARIO. Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores. Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable. Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated. Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers. Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy. Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services. Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

219 / 340

Category: CIPPEJULY2024A

219. What was the aim of the European Data Protection Directive 95/46/EC?

220 / 340

Category: CIPPEJULY2024A

220. SCENARIO. Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience. When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this. In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact. To ensure GDPR compliance, what should be the company’s position on the issue of consent?

221 / 340

Category: CIPPEJULY2024A

221. Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?

222 / 340

Category: CIPPEJULY2024A

222. If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

223 / 340

Category: CIPPEJULY2024A

223. The origin of privacy as a fundamental human right can be found in which document?

224 / 340

Category: CIPPEJULY2024A

224. MagicClean is a web-based service located in the United States that matches home cleaning services to customers. Its otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?

225 / 340

Category: CIPPEJULY2024A

225. The transparency principle is most directly related to which of the following rights?

226 / 340

Category: CIPPEJULY2024A

226. What is the main task of the European Data Protection Board?

227 / 340

Category: CIPPEJULY2024A

227. . If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?

228 / 340

Category: CIPPEJULY2024A

228. . Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

229 / 340

Category: CIPPEJULY2024A

229. . Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

230 / 340

Category: CIPPEJULY2024A

230. . If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

231 / 340

Category: CIPPEJULY2024A

231. According to the GDPR, how is pseudonymous personal data defined?

232 / 340

Category: CIPPEJULY2024A

232. . An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

233 / 340

Category: CIPPEJULY2024A

233. . When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

234 / 340

Category: CIPPEJULY2024A

234. SCENARIO. Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage. Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

235 / 340

Category: CIPPEJULY2024A

235. A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?

236 / 340

Category: CIPPEJULY2024A

236. A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?

237 / 340

Category: CIPPEJULY2024A

237. SCENARIO. Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department. Registration Form. Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.). Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.). Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property. We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.).

First name: Surname: Year of birth: Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page. Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being. If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

238 / 340

Category: CIPPEJULY2024A

238. Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

239 / 340

Category: CIPPEJULY2024A

239. SCENARIO. Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department. Registration Form. Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.). Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.). Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property. We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name: Surname: Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page. Terms and Conditions 1.Jurisdiction. […] 2.Applicable law. […] 3.Limitation of liability. […] Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being. What is one potential problem Vigotron’s age policy might encounter under the GDPR?

240 / 340

Category: CIPPEJULY2024A

240. What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

241 / 340

Category: CIPPEJULY2024A

241. Select the answer below that accurately completes the following: “The right to compensation and liability under the GDPR…

242 / 340

Category: CIPPEJULY2024A

242. To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client. Regarding the domain of the controller-processor relationships, how is this situation considered?

243 / 340

Category: CIPPEJULY2024A

243. SCENARIO. Please use the following to answer the next question: Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training. After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed. Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access. The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester. Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

244 / 340

Category: CIPPEJULY2024A

244. According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

245 / 340

Category: CIPPEJULY2024A

245. SCENARIO. Please use the following to answer the next question: Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU). People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations. The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform. The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?

246 / 340

Category: CIPPEJULY2024A

246. SCENARIO. Please use the following to answer the next question: Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training. After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed. Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access. The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester. What would be the most appropriate response to Jacks data subject access request?

247 / 340

Category: CIPPEJULY2024A

247. An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request ?

248 / 340

Category: CIPPEJULY2024A

248. In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

249 / 340

Category: CIPPEJULY2024A

249. SCENARIO. Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT Department violated Article 5 of the GDPR because the company failed to first do what?

250 / 340

Category: CIPPEJULY2024A

250. Which of the following was the first legally binding international instrument in the area of data protection?

251 / 340

Category: CIPPEJULY2024A

251. Spanish electricity customer calls her local supplier with Questions: about the company’s upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

252 / 340

Category: CIPPEJULY2024A

252. Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

253 / 340

Category: CIPPEJULY2024A

253. Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?

254 / 340

Category: CIPPEJULY2024A

254. SCENARIO. Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience. When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this. In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact. In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

255 / 340

Category: CIPPEJULY2024A

255. SCENARIO. Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens. Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms. In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?

256 / 340

Category: CIPPEJULY2024A

256. Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

257 / 340

Category: CIPPEJULY2024A

257. A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop’s PRIMARY obligation while engaging in this kind of profiling?

258 / 340

Category: CIPPEJULY2024A

258. According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

259 / 340

Category: CIPPEJULY2024A

259. What is the most frequently used mechanism for legitimizing cross-border data transfer?

260 / 340

Category: CIPPEJULY2024A

260. If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

261 / 340

Category: CIPPEJULY2024A

261. SCENARIO. Please use the following to answer the next question: ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage. What transfer mechanism should Jackie recommend for using InstaHR?

262 / 340

Category: CIPPEJULY2024A

262. Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

263 / 340

Category: CIPPEJULY2024A

263. SCENARIO. Please use the following to answer the next question: ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member. Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike’s data access request?

264 / 340

Category: CIPPEJULY2024A

264. To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

265 / 340

Category: CIPPEJULY2024A

265. SCENARIO. Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

266 / 340

Category: CIPPEJULY2024A

266. Which of the following is NOT a role of works councils?

267 / 340

Category: CIPPEJULY2024A

267. SCENARIO. Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance. Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies. Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance. In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes. Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing. In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way. Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes. Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system. After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

268 / 340

Category: CIPPEJULY2024A

268. A U.S. company’s website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?

269 / 340

Category: CIPPEJULY2024A

269. When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

270 / 340

Category: CIPPEJULY2024A

270. SCENARIO. Please use the following to answer the next question: Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry. Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:
Name Address Date of Birth
Payroll number
National Insurance number Sick pay entitlement
Maternity/paternity pay entitlement Holiday entitlement
Pension and benefits contributions Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required. Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B. This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes. Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees. Under the GDPR, which of Company B’s actions would NOT be likely to trigger a potential enforcement action?

271 / 340

Category: CIPPEJULY2024A

271. SCENARIO. Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address. Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base. The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services. Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them. The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs. On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information. If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

272 / 340

Category: CIPPEJULY2024A

272. Which of the following was the first to implement national law for data protection in 1973?

273 / 340

Category: CIPPEJULY2024A

273. SCENARIO. Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address. Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base. The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services. Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them. The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs. On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information. Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

274 / 340

Category: CIPPEJULY2024A

274. Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

275 / 340

Category: CIPPEJULY2024A

275. SCENARIO. Please use the following to answer the next question: Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers. Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches. After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization. To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

276 / 340

Category: CIPPEJULY2024A

276. After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

277 / 340

Category: CIPPEJULY2024A

277. An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. Which of the following best explain why this practice would NOT be subject to the GDPR?

278 / 340

Category: CIPPEJULY2024A

278. Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?

279 / 340

Category: CIPPEJULY2024A

279. Which of the following is an example of direct marketing that would be subject to European data protection laws?

280 / 340

Category: CIPPEJULY2024A

280. Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?

281 / 340

Category: CIPPEJULY2024A

281. Many businesses print their employees’ photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

282 / 340

Category: CIPPEJULY2024A

282. To which of the following parties does the territorial scope of the GDPR NOT apply?

283 / 340

Category: CIPPEJULY2024A

283. What are the obligations of a processor that engages a sub-processor?

284 / 340

Category: CIPPEJULY2024A

284. Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified byArticle 3?

285 / 340

Category: CIPPEJULY2024A

285. Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

286 / 340

Category: CIPPEJULY2024A

286. In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?

287 / 340

Category: CIPPEJULY2024A

287. Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance. Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies. Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance. In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes. Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing. In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way. Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes. Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system. Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

288 / 340

Category: CIPPEJULY2024A

288. A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

289 / 340

Category: CIPPEJULY2024A

289. In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

290 / 340

Category: CIPPEJULY2024A

290. Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?

291 / 340

Category: CIPPEJULY2024A

291. SCENARIO. Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts. Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations. Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information. Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company. For what reason would JaphSoft be considered a controller under the GDPR?

292 / 340

Category: CIPPEJULY2024A

292. A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

293 / 340

Category: CIPPEJULY2024A

293. SCENARIO. Please use the following to answer the next question: Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers. Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches. After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization. What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

294 / 340

Category: CIPPEJULY2024A

294. Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as expressly required by Article 5 of the GDPR?

295 / 340

Category: CIPPEJULY2024A

295. What is true if an employee makes an access request to his employer for any personal data held about him?

296 / 340

Category: CIPPEJULY2024A

296. The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

297 / 340

Category: CIPPEJULY2024A

297. Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

298 / 340

Category: CIPPEJULY2024A

298. Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

299 / 340

Category: CIPPEJULY2024A

299. Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

300 / 340

Category: CIPPEJULY2024A

300. Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

301 / 340

Category: CIPPEJULY2024A

301. When is data sharing agreement MOST likely to be needed?

302 / 340

Category: CIPPEJULY2024A

302. According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

303 / 340

Category: CIPPEJULY2024A

303. Which of the following is NOT an explicit right granted to data subjects under the GDPR?

304 / 340

Category: CIPPEJULY2024A

304. Which type of personal data does the GDPR define as a “special category” of personal data?

305 / 340

Category: CIPPEJULY2024A

305. Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?

306 / 340

Category: CIPPEJULY2024A

306. SCENARIO. Please use the following to answer the next question: Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers. In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Dynaroux may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme. Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux’s business plan and associated processing activities. Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?

307 / 340

Category: CIPPEJULY2024A

307. Which area of privacy is a lead supervisory authority’s (LSA) MAIN concern?

308 / 340

Category: CIPPEJULY2024A

308. A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

309 / 340

Category: CIPPEJULY2024A

309. When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

310 / 340

Category: CIPPEJULY2024A

310. SCENARIO. Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts. Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations. Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information. Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company. Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

311 / 340

Category: CIPPEJULY2024A

311. SCENARIO. Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies. T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success. The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze. Which of the following is T-Craze’s lead supervisory authority?

312 / 340

Category: CIPPEJULY2024A

312. SCENARIO. Please use the following to answer the next question: ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member. Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. What is the time period in which Mike should receive a response to his request?

313 / 340

Category: CIPPEJULY2024A

313. The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

314 / 340

Category: CIPPEJULY2024A

314. SCENARIO. Please use the following to answer the next QUESTION NO: Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance. Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies. Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance. In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes. Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing. In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way. Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes. Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system. Based on the GDPR’s position on the use of personal data for direct marketing purposes, which of the following is true about Louis’s rights as a data subject?

315 / 340

Category: CIPPEJULY2024A

315. In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

316 / 340

Category: CIPPEJULY2024A

316. In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance of using a “layered notice” to provide data subjects with what?

317 / 340

Category: CIPPEJULY2024A

317. SCENARIO. Please use the following to answer the next question: WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following: “WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.” “We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.” “We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.” What must the contract between WonderKids and the hosting service provider contain?

318 / 340

Category: CIPPEJULY2024A

318. SCENARIO. Please use the following to answer the next question:ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member. Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. What are ABC Hotel Chain and XYZ Travel Agency’s roles in this relationship?

319 / 340

Category: CIPPEJULY2024A

319. Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?

320 / 340

Category: CIPPEJULY2024A

320. What is the key difference between the European Council and the Council of the European Union?

321 / 340

Category: CIPPEJULY2024A

321. What term BEST describes the European model for data protection?

322 / 340

Category: CIPPEJULY2024A

322. What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

323 / 340

Category: CIPPEJULY2024A

323. Which aspect of the GDPR will likely have the most impact on the consistent implementation of data laws throughout the European Union?

324 / 340

Category: CIPPEJULY2024A

324. A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

325 / 340

Category: CIPPEJULY2024A

325. How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

326 / 340

Category: CIPPEJULY2024A

326. In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

327 / 340

Category: CIPPEJULY2024A

327. Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files ?

328 / 340

Category: CIPPEJULY2024A

328. How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

329 / 340

Category: CIPPEJULY2024A

329. Which of the following is the weakest lawful basis for processing employee personal data?

330 / 340

Category: CIPPEJULY2024A

330. SCENARIO Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts. Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations. Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information. Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company. Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

331 / 340

Category: CIPPEJULY2024A

331. A company would like to implement CCTV monitoring in its offices for safety and security purposes. Which of the following would be the best legal basis for the company to rely upon?

332 / 340

Category: CIPPEJULY2024A

332. It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3

333 / 340

Category: CIPPEJULY2024A

333. Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

334 / 340

Category: CIPPEJULY2024A

334. A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker’s personal data?

335 / 340

Category: CIPPEJULY2024A

335. SCENARIO. Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts. Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations. Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information. Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company. Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions EXCEPT?

336 / 340

Category: CIPPEJULY2024A

336. Which of the following is one of the supervisory authority’s investigative powers?

337 / 340

Category: CIPPEJULY2024A

337. You are the new Data Protection Officer for your company and have to determine whether the company has implemented appropriate technical and organizational measures as required by Article 32 of the GDPR. Which of the following would be the most important to consider when trying to determine this?

338 / 340

Category: CIPPEJULY2024A

338. Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

339 / 340

Category: CIPPEJULY2024A

339. A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

340 / 340

Category: CIPPEJULY2024A

340. A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

Your score is

0%