• Home
  • Articles
  • Verified CIPP-E Q&As - Pass Guarantee CIPP-E Exam Dumps [Q144-Q166]

Verified CIPP-E Q&As - Pass Guarantee CIPP-E Exam Dumps [Q144-Q166]

Share

Verified CIPP-E Q&As - Pass Guarantee CIPP-E Exam Dumps

Check the Free demo of our CIPP-E Exam Dumps with 252 Questions

NEW QUESTION # 144
The transparency principle is most directly related to which of the following rights?

  • A. Right to restriction of processing.
  • B. Right to be informed.
  • C. Right to object
  • D. Right to be forgotten.

Answer: B


NEW QUESTION # 145
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

  • A. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
  • B. When it has been determined that adequate protection can be performed.
  • C. Only as a last resort and when interpreted restrictively.
  • D. Only if the Data Protection Impact Assessment (DPIA) shows low risk.

Answer: B

Explanation:
Reference https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf (4)


NEW QUESTION # 146
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

  • A. The Council of the European Union.
  • B. National data protection authorities.
  • C. The European Data Protection Supervisor.
  • D. Approved data controllers.

Answer: D


NEW QUESTION # 147
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

  • A. Legislative powers.
  • B. Corrective powers.
  • C. Authorization and advisory powers.
  • D. Investigatory powers.

Answer: A

Explanation:
Reference https://www.privacy-regulation.eu/en/article-58-powers-GDPR.htm


NEW QUESTION # 148
Which of the following is NOT a role of works councils?

  • A. Determining whether to approve or reject certain decisions of the employer that affect employees.
  • B. Determining what changes will affect employee working conditions.
  • C. Determining whether employees' personal data can be processed or not.
  • D. Determining the monetary fines to be levied against employers for data breach violations of employee data.

Answer: D


NEW QUESTION # 149
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.
How should the company respond to Jack's request to be forgotten?

  • A. The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.
  • B. The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.
  • C. The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.
  • D. The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.

Answer: B


NEW QUESTION # 150
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

  • A. Identify uses of data in a privacy notice mailed to the data subject.
  • B. Use a layered privacy notice on its website and in its email communications.
  • C. Provide only general information about its processing activities and offer a toll-free number for more information.
  • D. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

Answer: A

Explanation:
Reference https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-bureau- consumer-protection-preliminary-ftc-staff-report-protecting-consumer/101201privacyreport.pdf


NEW QUESTION # 151
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  • A. Requesting advice and technical support from Company A's IT team.
  • B. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • C. Avoiding the use of another company's data to improve their own services.
  • D. Vetting companies' measures with the appropriate supervisory authority.

Answer: B


NEW QUESTION # 152
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage What transfer mechanism should Jackie recommend for using InstaHR?

  • A. Explicit consent of employees.
  • B. Standard contractual clauses
  • C. Adequacy
  • D. Binding corporate rules.

Answer: A


NEW QUESTION # 153
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

  • A. The Council of the European Union.
  • B. National data protection authorities.
  • C. The European Data Protection Supervisor.
  • D. Approved data controllers.

Answer: D

Explanation:
Reference https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/ standard-contractual-clauses-scc_en


NEW QUESTION # 154
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your dat a. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.) First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1. Jurisdiction. [...]
2. Applicable law. [...]
3. Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?

  • A. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
  • B. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.
  • C. It is not legal to include fields requiring information regarding health status without consent.
  • D. Processing health data requires explicit consent, but the form does not ask for explicit consent.

Answer: A


NEW QUESTION # 155
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

  • A. When an individual has not consented to the marketing.
  • B. When an individual's details are obtained from their inquiries about buying a product.
  • C. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
  • D. Where an individual's details have been obtained from a bought-in marketing list.

Answer: C


NEW QUESTION # 156
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

  • A. Obtain a court order because location data is a special category of personal data.
  • B. Get consent from the app users.
  • C. Anonymize the data and add latency so it avoids disclosing real time locations.
  • D. Provide a transparent notice to users.

Answer: B


NEW QUESTION # 157
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University's records does Anna NOT have to include in her record of processing activities?

  • A. Student records
  • B. Staff and alumni records
  • C. Frank's performance database
  • D. Department for Education records

Answer: C


NEW QUESTION # 158
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

  • A. When she has recently changed jobs and no longer works for the same company.
  • B. When she is leaving her bank and moving to another bank.
  • C. When she disagrees with a diagnosis her doctor has recorded on her records.
  • D. When she no longer wishes to be sent marketing materials from an organization.

Answer: D


NEW QUESTION # 159
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

  • A. The restriction of cross-border data flow
  • B. The synchronization of approaches to data protection
  • C. The establishment of a list of legitimate data processing criteria
  • D. The creation of legally binding data protection principles

Answer: B

Explanation:
Reference https://ico.org.uk/media/about-the-ico/documents/1042349/review-of-eu-dp-directive.pdf (99)


NEW QUESTION # 160
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article
3?

  • A. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  • B. Personal data of EU residents being processed by a non-EU business that targets EU customers.
  • C. Personal data of EU citizens being processed by a controller or processor based outside the EU.
  • D. The behavior of suspected terrorists being monitored by EU law enforcement bodies.

Answer: C

Explanation:
Explanation/Reference: https://hsfnotes.com/data/2019/12/02/edpb-adopts-final-guidelines-on-gdpr-extra-territoriality/


NEW QUESTION # 161
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

  • A. Background checks on European employees will stem from data protection and employment law, which can vary between member states.
  • B. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.
  • C. Background checks on employees could be performed only under prior notice to all employees.
  • D. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.

Answer: A

Explanation:
Explanation/Reference: https://www.shrm.org/resourcesandtools/tools-and-samples/toolkits/pages/ conductingbackgroundinvestigations.aspx


NEW QUESTION # 162
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

  • A. Accuracy
  • B. Storage Limitation
  • C. Integrity and confidentiality
  • D. Lawfulness, fairness and transparency

Answer: C


NEW QUESTION # 163
Which of the following would require designating a data protection officer?

  • A. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
  • B. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
  • C. Processing is carried out by an organization employing 250 persons or more.
  • D. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Answer: D

Explanation:
Explanation/Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/data-protection-officers/


NEW QUESTION # 164
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft's use of pseudonymization is NOT in compliance with the CDPR because?

  • A. JaphSoft was in possession of information that could be used to identify data subjects.
  • B. JaphSoft failed to first anonymize the personal data.
  • C. JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
  • D. JaphSoft failed to keep personally identifiable information in a separate database.

Answer: C


NEW QUESTION # 165
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

  • A. Categories of processing carried out on behalf of each controller for which the processor is acting.
  • B. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
  • C. Name and contact details of each controller on behalf of which the processor is acting.
  • D. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.

Answer: D

Explanation:
Explanation/Reference: https://gdpr-info.eu/art-30-gdpr/


NEW QUESTION # 166
......


IAPP CIPP/E Exam Registration

In order to apply for the IAPP CIPP/E Exam, You have to follow these steps

Step 1: Visit the IAPP store Website

Step 2: Search for the CIPP/E Exam and purchase the exam by making payment using credit/debit card.

Step 3: Through Pearson VUE's scheduling platform, you will be able to choose a test center, time and date.

 

Get professional help from our CIPP-E Dumps PDF: https://pass4sure.examtorrent.com/CIPP-E-prep4sure-dumps.html

Related Articles

more
IAPP CIPP-E Certification Practice Exam

Valid exam torrent sheet will be a shortcut for every buyer to obtain certifications. We ExamTorrent provide new dumps torrent file with 99.59% passing rate. If you have any question about our products we the best quality and the service attitude will serve for you!

Latest Dump pass for sure

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ExamTorrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy