• support@dumpspool.com
SPECIAL LIMITED TIME DISCOUNT OFFER. USE DISCOUNT CODE TO GET 20% OFF DP2021

PDF Only

$35.00 Free Updates Upto 90 Days

  • CIPP-E Dumps PDF
  • 268 Questions
  • Updated On March 25, 2024

PDF + Test Engine

$60.00 Free Updates Upto 90 Days

  • CIPP-E Question Answers
  • 268 Questions
  • Updated On March 25, 2024

Test Engine

$50.00 Free Updates Upto 90 Days

  • CIPP-E Practice Questions
  • 268 Questions
  • Updated On March 25, 2024
Check Our Free IAPP CIPP-E Online Test Engine Demo.

How to pass IAPP CIPP-E exam with the help of dumps?

DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest IAPP CIPP-E Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.

How Do I Know IAPP CIPP-E Dumps are Worth it?

Did we mention our latest CIPP-E Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.

You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just IAPP Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!

IT Students Are Using our Certified Information Privacy Professional/Europe (CIPP/E) Dumps Worldwide!

It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Certified Information Privacy Professional/Europe (CIPP/E) Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.

How to Get CIPP-E Real Exam Dumps?

Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CIPP-E exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!

IAPP CIPP-E Sample Question Answers

Question # 1

Please use the following to answer the next question: ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member. Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. What is the time period in which Mike should receive a response to his request?

A. Not more than one month of receipt of Mike’s request. 
B. Not more than two months after verifying Mike’s identity. 
C. When all the information about Mike has been collected. 
D. Not more than thirty days after submission of Mike’s request. 

Question # 2

A U.S. company’s website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?

A. The widgets are offered in EU and priced in euro. 
B. The website is in English and French, and is accessible in France. 
C. An affiliate office is located in France but the processing is in the U.S. 
D. The website places cookies to monitor the EU website user behavior. 

Question # 3

Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

A. Providing a multi-layered privacy notice, in a website environment. 
B. Providing a QR code linking to more detailed privacy notice, in a CCTV sign. 
C. Providing a hyperlink to the organization’s home page, in a hard copy application form. 
D. Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field. 

Question # 4

An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentationor other processing of an individual’s personal data. Which of the following best explain why this practice would NOT be subject to the GDPR?

A. Body temperature is not considered personal data. 
B. The practice does not involve completion by automated means. 
C. Body temperature is considered pseudonymous data. 
D. The practice is for the purpose of alleviating extreme risks to public health. 

Question # 5

Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT Department violated Article 5 of the GDPR because the company failed to first do what?

A. Send out consent forms to all of its employees. 
B. Minimize the amount of data collected for the lawsuit. 
C. Inform all of its employees about the lawsuit. 
D. Encrypt the data from all of its employees. 

Question # 6

If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?

A. 1 month. 
B. 3 months. 
C. 5 months. 
D. 12 months. 

Question # 7

Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

A. Court of Auditors 
B. Court of Justice of European Union 
C. European Court of Human Rights 
D. European Data Protection Board 

Question # 8

Select the answer below that accurately completes the following: “The right to compensation and liability under the GDPR…

A. …provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.” 
B. …precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing.” 
C. ...can only be exercised against the data controller, even if a data processor was involved in the same processing.” 
D. …is limited to a maximum amount of EUR 20 million per event of damage or loss.” 

Question # 9

Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

A. The Court of Justice of the European Union. 
B. The European Data Protection Board. 
C. The Data Protection Authority. 
D. The European Commission. 

Question # 10

As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

A. Protection of the interests of the data subjects. 
B. Performance of a contact 
C. Legitimate interest 
D. Consent 

Question # 11

Please use the following to answer the next question: ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member. Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike’s data access request?

A. The request is to obtain access and correct inaccurate personal data in his profile. 
B. The request is to obtain access and information about the purpose of processing his personal data. 
C. The request is to obtain access and erasure of his personal data while keeping his rewards membership. 
D. The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership. 

Question # 12

Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?

A. An information security risk by copying the data into a new database. 
B. A potential legal liability and financial exposure from its customers. 
C. A significant risk to the customers’ fundamental rights and freedoms. 
D. A significant risk due to the lack of an informed consent mechanism. 

Question # 13

The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

A. Choose the data protection officer that is most sympathetic to their business concerns. 
B. Designate their main establishment in member state with the most flexible practices. 
C. File appeals of infringement judgments with more than one EU institution simultaneously. 
D. Select third-party processors on the basis of cost rather than quality of privacy protection. 

Question # 14

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

A. Inform the data subject of the security measures in place. 
B. Ensure that the receiving entity has signed a data processing agreement. 
C. Encrypt the transferred data in transit and at rest. 
D. Conduct a data protection impact assessment. 

Question # 15

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

A. The local Data Protection Supervisory Authorities. 
B. The European Data Protection Board. 
C. The EU Commission. 
D. The Member States. 

Question # 16

If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?

A. Decision 2001/497/EC (EU controller to non-EU or EEA controller). 
B. Decision 2004/915/EC (EU controller to non-EU or EEA controller). 
C. Decision 2007/72/EC (EU processor to non-EU or EEA controller). 
D. Decision 2010/87/EU (Non-EU or EEA processor from EU controller). 

Question # 17

Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens. Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms. What is the nature of BHealthy and Natural Insight’s relationship?

A. Natural Insight is BHealthy’s processor because the companies entered into data processing terms. 
B. Natural Insight is BHealthy’s processor because BHealthy is sharing its customer information with Natural Insight. 
C. Natural Insight is the controller because it determines the security measures to implement to protect data it processes; BHealthy is a co-controller because it engaged Natural Insight to determine pricing for the new sunscreens. 
D. Natural Insight is a controller because it is separately determine the purpose of processing when it uses BHealthy’s customer information to improve its machine learning algorithms. 

Question # 18

Please use the following to answer the next question: Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients. Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary. What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

A. Conduct analysis only on anonymized personal data. 
B. Conduct analysis only on pseudonymized personal data. 
C. Delete all data collected prior to May 2018 after conducting the trend analysis. 
D. Procure a third party to conduct the analysis and delete the data from Market4U’s systems. 

Question # 19

A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter. 
B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates. 
C. Assess whether the company has more than 250 employees in each of the EU memberstates in which it is established. 
D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default. 

Question # 20

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?

A. It cannot be attributed to a data subject without the use of additional information. 
B. It cannot be attributed to a person under any circumstances. 
C. It can only be attributed to a person by the controller. 
D. It can only be attributed to a person by a third party. 

Question # 21

When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

A. After a personal data breach. 
B. Every three (3) years. 
C. On an ongoing basis. 
D. Every year. 

Question # 22

An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing informationand consent under which of the following frameworks?

A. General Data Protection Regulation 2016/679. 
B. E-Privacy Directive 2002/58/EC. 
C. E-Commerce Directive 2000/31/EC. 
D. Data Protection Directive 95/46/EC. 

Question # 23

Which of the following is the weakest lawful basis for processing employee personal data?

A. Processing based on fulfilling an employment contract. 
B. Processing based on employee consent. 
C. Processing based on legitimate interests. 
D. Processing based on legal obligation. 

Question # 24

The Planet 49 CJEU Judgement applies to?

A. Cookies used only by third parties. 
B. Cookies that are deemed technically necessary. 
C. Cookies regardless of whether the data accessed is personal or not. 
D. Cookies where the data accessed is considered as personal data only. 

Question # 25

The European Parliament jointly exercises legislative and budgetary functions with which of the following?

A. The European Commission. 
B. The Article 29 Working Party. 
C. The Council of the European Union. 
D. The European Data Protection Board. 

Question # 26

According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?

A. Data ownership allocation. 
B. Access control management. 
C. Frequent pseudonymization key rotation. 
D. Error propagation avoidance along the processing chain. 

Question # 27

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals. Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A. It collects data from European Union websites, which constitutes an establishment in the European Union. 
B. It offers services in the European Union by identifying data subjects in the European Union. 
C. It collects data from subjects and uses it for automated processing. 
D. It monitors the behavior of data subjects in the European Union. 

Question # 28

Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another Germanbased company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies. T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main productdesign office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success. The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze. Which of the following is T-Craze’s lead supervisory authority?

A. Germany, because that is where T-Craze is headquartered.
B. France, because that is where T-Craze conducts processing of personal information. 
C. Spain, because that is T-Craze’s primary market based on its marketing campaigns. 
D. T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries. 

Question # 29

Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

A. The obligation of companies to declare data breaches. 
B. The requirement to demonstrate compliance to a supervisory authority. 
C. The necessity of the bulk collection of personal data by the government. 

Question # 30

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

A. The right to request access to the personal data a controller holds about them. 
B. The right to request the deletion of data a controller holds about them. 
C. The right to opt-out of the sale of their personal data to third parties. 
D. The right to request restriction of processing of personal data, under certain scenarios. 

Question # 31

Which of the following was the first legally binding international instrument in the area ofdata protection?

A. Convention 108. 
B. General Data Protection Regulation. 
C. Universal Declaration of Human Rights. 
D. EU Directive on Privacy and Electronic Communications. 

Question # 32

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

A. If the data protection officer lacks ISO 27001 auditor certification. 
B. If the data protection officer is provided by the data processor. 
C. If the data protection officer also manages the marketing budget. 
D. If the data protection officer receives instructions from the data controller. 

Question # 33

What is the most frequently used mechanism for legitimizing cross-border data transfer?

A. Standard Contractual Clauses. 
B. Approved Code of Conduct. 
C. Binding Corporate Rules. 
D. Derogations. 

Question # 34

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organizationcharge the data subject a fee for processing the request?

A. Only where the organization can show that it is reasonable to do so because more than one request was made. 
B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR. 
C. Only where the administrative costs of taking the action requested exceeds a certain threshold. 
D. Only if the organization can demonstrate that the request is clearly excessive or misguided. 

Question # 35

When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

A. The ease of identification of individuals. 
B. The size of any data processor involved. 
C. The special characteristics of the data controller. 
D. The nature, sensitivity and volume of personal data. 

Question # 36

Please use the following to answer the next question: ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member. Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. What are ABC Hotel Chain and XYZ Travel Agency’s roles in this relationship?

A. ABC Hotel Chain is the controller and XYZ Travel Agency is the processor. 
B. XYZ Travel Agency is the controller and ABC Hotel Chain is the processor. 
C. ABC Hotel Chain and XYZ Travel Agency are independent controllers. 
D. ABC Hotel Chain and XYZ Travel Agency are joint controllers. 

Question # 37

Which of the following was the first to implement national law for data protection in 1973?

A. France 
B. Sweden 
C. Germany 
D. United Kingdom 

Question # 38

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

A. The Court of Justice of the European Union. 
B. The European Data Protection Supervisor. 
C. The European Court of Human Rights. 
D. The European Data Protection Board. 

Question # 39

For which of the following operations would an employer most likely be justified in requesting the data subject’s consent?

A. Posting an employee’s bicycle race photo on the company’s social media. 
B. Processing an employee’s health certificate in order to provide sick leave. 
C. Operating a CCTV system on company premises. 
D. Assessing a potential employee’s job application. 

Question # 40

According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

A. When processed with the intent to publish information regarding a natural person on publicly accessible media. 
B. When processed with the intent to proceed to scientific or historical research projects. 
C. When processed with the intent to uniquely identify or authenticate a natural person. 
D. When processed with the intent to comply with a law. 

Question # 41

Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?

A. The Directive was superseded by the EU Directive on Privacy and Electronic Communications. 
B. The Directive was superseded by the General Data Protection Regulation. 
C. The Directive was annulled by the Court of Justice of the European Union. 
D. The Directive was annulled by the European Court of Human Rights. 

Question # 42

Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?

A. New corporate governance and code of conduct. 
B. A data protection impact assessment. 
C. A comprehensive data inventory. 
D. Hiring a data protection officer. 

Question # 43

Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens. Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms. Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?

A. Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history. 
B. Only the security measures assessed by BHealthy prior to entering into the data processing contract. 
C. Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight. 
D. The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject’s purchase history. 

Question # 44

Please use the following to answer the next question: Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients. Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary. What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U’s forms?

A. Make all the fields optional. 
B. Only request the information in brackets (i.e., age group and salary range). 
C. Eliminate the fields, as they are not proportional to the services being offered.
D. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events. 

Question # 45

A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

A. The school places a notice near each camera. 
B. The school gets explicit consent from the students. 
C. Processing is necessary for the legitimate interests pursed by the school. 
D. A state law requires facial recognition to verify attendance. 

Question # 46

Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens. Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms. In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?

A. If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy. 
B. If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms. 
C. If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities. 
D. If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities. 

Question # 47

Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?

A. Law firm organizations. 
B. Civil society organizations. 
C. Human rights organizations. 
D. Constitutional rights organizations.

Question # 48

Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

A. Notify its Data Protection Authority about the data breach. 
B. Analyze and evaluate the liability for customers in Ireland. 
C. Analyze and evaluate all of its breach notification obligations. 
D. Notify all of its customers that reside in the European Union. 

Question # 49

If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

A. The individuals are European citizens or residents. 
B. The data processing activities are in Spain. 
C. The data controller is in France. 
D. The EU individuals are targeted. 

Question # 50

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention108?

A. Both govern international transfers of personal data
B. Both govern the manual processing of personal data
C. Both only apply to European Union countries
D. Both require notification of processing activities to a supervisory authority

Question # 51

Please use the following to answer the next question:You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range ofdolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Althougthe manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong,it has entered into a number of local distribution contracts. The toys produced by the company can be found inall popular toy stores throughout Europe, the United States and Asia. A large portion of the company’srevenue is due to international sales.The company now wishes to launch a new range of connected toys, ones that can talk and interact withchildren. The CEO of the company is touting these toys as the next big thing, due to the increased possibilitiesoffered: The figures can answer children’s Questions: on various subjects, such as mathematical calculationsor the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone ortablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.The figures can also be associated with other figures (from the same manufacturer) and interact with eachother for an enhanced play experience.When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer isgenerated on cloud servers and sent back to the figure. The answer is given through the figure’s integratedspeakers, making it appear as though that the toy is actually responding to the child’s QUESTION. Thepackaging of the toy does not provide technical details on how this works, nor does it mention that this featurerequires an internet connection. The necessary data processing for this has been outsourced to a data centerlocated in South Africa. However, your company has not yet revised its consumer-facing privacy policy toindicate this.In parallel, the company is planning to introduce a new range of game systems through which consumers canplay the characters they acquire in the course of playing the game. The system will come bundled with a portalthat includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the actionfigure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it isalso possible to earn additional ones by accomplishing game goals. The only information stored in the tagrelates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring thefigure to locations outside of the home and have the character’s abilities remain intact.To ensure GDPR compliance, what should be the company’s position on the issue of consent?

A. The child, as the user of the action figure, can provide consent himself, as long as no information isshared for marketing purposes.
B. Written authorization attesting to the responsible use of children’s data would need to be obtained fromthe supervisory authority.
C. Consent for data collection is implied through the parent’s purchase of the action figure for the child.
D. Parental consent for a child’s use of the action figures would have to be obtained before any data couldbe collected.

Question # 52

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with adata access request?

A. Within 40 days of receipt
B. Within 40 days of receipt, which may be extended by up to 40 additional days
C. Within one month of receipt, which may be extended by up to an additional month
D. Within one month of receipt, which may be extended by an additional two months

Question # 53

Please use the following to answer the next question:Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago.Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentableoffering to help him recover compensation for personal injury. Louis has heard about insurance companiesselling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his informationfrom Bedrock Insurance.Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell himtheir full range of their insurance policies.Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked tofind that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer formany years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his NoClaims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes toask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock tostop using his personal data for marketing purposes.Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No ClaimsCertificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible.Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could beused for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. Itangers Louis when he recalls the wording of the contract, which was filled with legal jargon and veryconfusing.In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes toAccidentable to ask for the name of the organization that supplied his details to them. He warns Accidentablethat he plans to complain to the data protection authority, because he thinks their company has been using hisdata unlawfully. His letter states that he does not want his data being used by them in any way.Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s whollyowned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louissubmitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, asLouis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates forbusiness purposes.Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all hisinformation be erased from their computer system.Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

A. Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.
B. Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
C. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of acontract with the customer.
D. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an bligation to develop commonly used, machine-readable and interoperable formats so that all customerdata can be ported to other insurers on request.

Question # 54

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A. A prior opt-in consent for consumers unless they are already customers.
B. A pre-checked box stating that the consumer agrees to receive email marketing.
C. A notice that the consumer’s email address will be used for marketing purposes.
D. No prior permission required, but an opt-out requirement on all emails sent to consumers.