DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

IAPP CIPP/E Exam Questions and Answers, Certified Information Privacy Professional/Europe | SPOTO

SPOTO's latest exam dumps on the homepage, with a 100% pass rate! SPOTO delivers authentic Cisco CCNA, CCNP study materials, CCIE Lab solutions, PMP, CISA, CISM, AWS, and Palo Alto exam dumps. Our comprehensive study materials are meticulously aligned with the latest exam objectives. With a proven track record, we have enabled thousands of candidates worldwide to pass their IT certifications on their first attempt. Over the past 20+ years, SPOTO has successfully placed numerous IT professionals in Fortune 500 companies.
Take other online exams
Question #1
SCENARIO Please use the following to answer the next question: Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry. Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itsel
A. Their omission of data protection provisions in their contract with Company
B. Their failure to provide sufficient security safeguards to Company A’s data
C. Their engagement of Company C to improve their payroll service
D. Their decision to operate without a data protection officer
View answer
Correct Answer: B
Question #2
SCENARIO Please use the following to answer the next question: Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: - Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information. - Staff records, including
A. Student records
B. Staff and alumni recordscorrect
C. Frank’s performance database
D. Department for Education records
View answer
Correct Answer: B
Question #3
A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?
A. The lawful processing criteria stipulated by Articles 6 to 9
B. The information requirements set out in Articles 13 and 14
C. The breach notification requirements specified in Articles 33 and 34
D. The rights granted to data subjects under Articles 12 to 22correct
View answer
Correct Answer: D
Question #4
A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?
A. The lawful processing criteria stipulated by Articles 6 to 9
B. The information requirements set out in Articles 13 and 14
C. The breach notification requirements specified in Articles 33 and 34
D. The rights granted to data subjects under Articles 12 to 22correct
View answer
Correct Answer: D
Question #5
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?
A. The European Parliamentcorrect
B. The European Commissioncorrect
C. The Article 29 Working Party
D. The European Council
View answer
Correct Answer: AB
Question #6
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?
A. The right to privacy is an absolute rightcorrect
B. The right to privacy has to be balanced against other rights under the ECHRcorrect
C. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interferencecorrect
View answer
Correct Answer: ABD
Question #7
SCENARIO Please use the following to answer the next question: Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: - Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information. - Staff records, including
A. More information about Frank’s data protection training
B. More information about the extent of the information loss
C. More information about the algorithm Frank used to mask student numbers
D. More information about what students have been told and how the research will be used
View answer
Correct Answer: D
Question #8
According to the GDPR, how is pseudonymous personal data defined?
A. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately
B. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data
C. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable
D. Data that has been encrypted or is subject to other technical safeguards
View answer
Correct Answer: A
Question #9
After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company notify first under GDPR requirements?
A. Any parents of children whose personal data was compromised
B. Any affected customers whose data was compromised
C. A competent supervisory authority
D. A local law enforcement agency
View answer
Correct Answer: C
Question #10
Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b), what is the impact of a member state’s interpretation of the word “incompatible”?
A. It dictates the level of security a processor must follow when using and storing personal data for two different purposes
B. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data
C. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data
D. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose
View answer
Correct Answer: D
Question #11
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?
A. Both govern international transfers of personal datacorrect
B. Both govern the manual processing of personal data
C. Both only apply to European Union countries
D. Both require notification of processing activities to a supervisory authoritycorrect
View answer
Correct Answer: AD
Question #12
According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?
A. Where the technology supporting the website is locatedcorrect
B. Where the website is accessed
C. Where the decisions about processing are made
D. Where the customer’s Internet service provider is locatedcorrect
View answer
Correct Answer: AD
Question #13
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?
A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping
B. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition
C. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing
D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system
View answer
Correct Answer: AD
Question #14
When is data sharing agreement MOST likely to be needed?
A. When anonymized data is being shared
B. When personal data is being shared between commercial organizations acting as joint data controllers
C. When personal data is being proactively shared by a controller to support a police investigation
D. When personal data is being shared with a public authority with powers to require the personal data to be disclosed
View answer
Correct Answer: B
Question #15
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?
A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot
B. CJEU can force national governments to implement and honor EU law, while the ECHR cannot
C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot
D. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot
View answer
Correct Answer: B
Question #16
According to the GDPR, how is pseudonymous personal data defined?
A. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately
B. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data
C. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable
D. Data that has been encrypted or is subject to other technical safeguards
View answer
Correct Answer: A
Question #17
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?
A. Approved certifications
B. Binding corporate rules
C. Law enforcement requests
D. Standard contractual clauses
View answer
Correct Answer: A
Question #18
SCENARIO Please use the following to answer the next question: Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.
A. Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible
B. Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest
C. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer
D. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request
View answer
Correct Answer: A
Question #19
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?
A. Inform the subjects about the collectioncorrect
B. Provide a public notice regarding the data
C. Upgrade security to match that of the source
D. Update the data within a reasonable timeframe
View answer
Correct Answer: A
Question #20
SCENARIO Please use the following to answer the next question: Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.
A. If Accidentable is entitled to use of the data as an affiliate of Bedrock
B. If Accidentable also uses the data to conduct public health research
C. If the data becomes necessary to defend Accidentable’s legal rights
D. If the accuracy of the data is not an aspect that Louis is disputing
View answer
Correct Answer: C
Question #21
Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presente
A. It collects data from European Union websites, which constitutes an establishment in the European Union
B. It offers services in the European Union by identifying data subjects in the European Union
C. It collects data from subjects and uses it for automated processing
D. It monitors the behavior of data subjects in the European Union
View answer
Correct Answer: D
Question #22
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?
A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection
B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms
C. Demonstrate that the profiling is for the purposes of direct marketing
D. Consider the importance of the profiling to their particular objective
View answer
Correct Answer: AC
Question #23
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?
A. The behavior of suspected terrorists being monitored by EU law enforcement bodies
B. Personal data of EU citizens being processed by a controller or processor based outside the E
C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies
D. Personal data of EU residents being processed by a non-EU business that targets EU customers
View answer
Correct Answer: ACD
Question #24
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop’s PRIMARY obligation while engaging in this kind of profiling?
A. It must solicit informed consent through a notice on its websitecorrect
B. It must seek authorization from the European supervisory authorities
C. It must be able to demonstrate a prior business relationship with the customers
D. It must prove that it uses sufficient security safeguards to protect customer data
View answer
Correct Answer: A
Question #25
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?
A. Documenting due diligence steps taken in the pre-contractual stage
B. Conducting a risk assessment to analyze possible outsourcing threats
C. Requiring that the processor directly notify the appropriate supervisory authority
D. Maintaining evidence that the processor was the best possible market choice available
View answer
Correct Answer: C
Question #26
In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance of using a “layered notice” to provide data subjects with what?
A. A privacy notice containing brief information whilst offering access to further detail
B. A privacy notice explaining the consequences for opting out of the use of cookies on a website
C. An explanation of the security measures used when personal data is transferred to a third party
D. An efficient means of providing written consent in member states where they are required to do so
View answer
Correct Answer: A
Question #27
SCENARIO Please use the following to answer the next question: TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business. During negotiations, a Techiva representative
A. The resulting obligation to notify data subjects would involve disproportionate effort
B. The incident resulted from the actions of a third-party that were beyond their control
C. The destruction of the stolen data makes any risk to the affected data subjects unlikely
D. The sensitivity of the categories of data involved in the incident was not substantial enough
View answer
Correct Answer: B
Question #28
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?
A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot
B. CJEU can force national governments to implement and honor EU law, while the ECHR cannot
C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot
D. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot
View answer
Correct Answer: B
Question #29
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
A. The establishment of a list of legitimate data processing criteria
B. The creation of legally binding data protection principles
C. The synchronization of approaches to data protection
D. The restriction of cross-border data flow
View answer
Correct Answer: C
Question #30
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
A. The data subject already has information regarding how his data will be usedcorrect
B. The provision of such information to the data subject would be too problematic
C. Third-party data would be disclosed by providing such information to the data subject
D. The processing of the data subject’s data is protected by appropriate technical measures
View answer
Correct Answer: A

View The Updated IAPP Exam Questions

SPOTO Provides 100% Real IAPP Exam Questions for You to Pass Your IAPP Exam!

Get IAPP Practice Test

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.