Apr-2026 Pass Your CIPP-E Exam at the First Try with 100% Real Exam [Q160-Q183]

Apr-2026 Pass Your CIPP-E Exam at the First Try with 100% Real Exam

Get Real Exam Questions for CIPP-E with New Questions

NEW QUESTION # 160
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately
650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What must Zandelay provide to the supervisory authority during the prior consultation?

• A. An explanation of the purposes and means of the intended processing.
• B. An evaluation of the complexity of the intended processing.
• C. Certificates that prove Martin's professional qualities and expert knowledge of data protection law.
• D. Records showing that customers have explicitly consented to the intended profiling activities.

Answer: A

NEW QUESTION # 161
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

• A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
• B. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
• C. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.
• D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

Answer: D

Explanation:
The GDPR applies to all personal data, regardless of whether it exists in physical form or not. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.
However, the GDPR also distinguishes between different types of processing activities and their legal bases. Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities.
The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.
Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.
However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.
Reference:
Physical Data - GDPR Summary
What GDPR Means for Your Physical Records - Access
Personal Data - Data Protection Act 2018

NEW QUESTION # 162
A key component of the OECD Guidelines is the "Individual Participation Principle". What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

• A. The information requirements set out in Articles 13 and 14
• B. The rights granted to data subjects under Articles 12 to 22
• C. The breach notification requirements specified in Articles 33 and 34
• D. The lawful processing criteria stipulated by Articles 6 to 9

Answer: B

Explanation:
The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many dataprivacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2.
The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union's (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision-making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.
Therefore, the parts of the GDPR that provide the closest equivalent to the Individual Participation Principle are Articles 12 to 22.
References:
OECD Privacy Principles
What are the 7 main principles of GDPR?
Fair Information Practice Principles (FIPPs)
Individual Participation - International Association of Privacy Professionals What is the right to be forgotten? | Right to erasure | Cloudflare General Data Protection Regulation - Wikipedia

NEW QUESTION # 163
When may browser settings be relied upon for the lawful application of cookies?

• A. When users are aware of the ability to adjust their settings.
• B. When users are provided with information about which cookies have been set.
• C. When a user rejects cookies that are strictly necessary.
• D. When it is impossible to bypass the choices made by users in their browser settings.

Answer: A

NEW QUESTION # 164
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

• A. Their failure to provide sufficient security safeguards to Company A's data.
• B. Their omission of data protection provisions in their contract with Company C.
• C. Their engagement of Company C to improve their payroll service.
• D. Their decision to operate without a data protection officer.

Answer: C

NEW QUESTION # 165
What is the key difference between the European Council and the Council of the European Union?

• A. The European Council is comprised of the heads of each EU member state.
• B. The Council of the European Union has a degree of legislative power.
• C. The Council of the European Union is helmed by a president.
• D. The European Council focuses primarily on issues involving human rights.

Answer: A

Explanation:
Section: (none)
Explanation

NEW QUESTION # 166
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

• A. Their failure to provide sufficient security safeguards to Company A's data.
• B. Their omission of data protection provisions in their contract with Company C.
• C. Their engagement of Company C to improve their payroll service.
• D. Their decision to operate without a data protection officer.

Answer: C

Explanation:
While Company B made several mistakes in handling Company A's employee data, not all of them would likely trigger a potential enforcement action under the GDPR. Here's an analysis of each option:
A) Omission of data protection provisions in the contract with Company C: This is a clear violation of the GDPR. Company B, as the data controller, is responsible for ensuring that any third-party processors comply with data protection requirements. By omitting data protection provisions in the contract, Company B failed to take appropriate steps to ensure the security and privacy of the personal data. This would be a likely trigger for an enforcement action.
B) Failure to provide sufficient security safeguards to Company A's data: This is another violation of the GDPR. Company B has a legal obligation to implement appropriate technical and organizational security measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The outdated IT security system at Company C's U.S. server demonstrates a failure to meet this obligation. This would also be a likely trigger for an enforcement action.
C) Engagement of Company C to improve their payroll service: While outsourcing certain aspects of data processing is permitted under the GDPR, the data controller remains ultimately responsible for compliance. However, simply engaging another company to improve a service itself isn't necessarily a violation. As long as the proper safeguards are in place and the data processing is carried out in accordance with the GDPR, this action alone would not likely trigger an enforcement action.
D) Decision to operate without a data protection officer: The GDPR requires certain organizations to appoint a data protection officer (DPO). While Company B may be required to have a DPO depending on its size and activities, the absence of a DPO wouldn't automatically trigger an enforcement action. However, it could indicate a lack of compliance culture and contribute to other violations, increasing the likelihood of an enforcement action.
Therefore, while Company B made several mistakes, only the ones that directly violate specific data protection requirements, such as omitting data protection provisions in contracts or failing to implement appropriate security measures, are likely to trigger an enforcement action. Engaging a third-party to improve a service, as long as it's done in a compliant manner, isn't a violation in itself.

NEW QUESTION # 167
The GDPR's list of processor obligations regarding cloud computing includes all of the following EXCEPT?

• A. Any personal data related to data subjects must be securely maintained for a maximum of ten years.
• B. Controllers must be given notice of any subprocessors and have a right of objection.
• C. Individuals authorized to process the personal data are subject to an obligation of confidentiality.
• D. Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk.

Answer: A

Explanation:
The General Data Protection Regulation (GDPR) introduces several obligations for processors who process personal data on behalf of controllers. These obligations apply to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.
The GDPR's list of processor obligations regarding cloud computing includes all of the following:
Controllers must be given notice of any subprocessors and have a right of objection. According to Article 28 of the GDPR, a processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Individuals authorized to process the personal data are subject to an obligation of confidentiality. According to Article 28 of the GDPR, the processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk. According to Article 32 of the GDPR, the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The GDPR's list of processor obligations regarding cloud computing does not include the following:
Any personal data related to data subjects must be securely maintained for a maximum of ten years. The GDPR does not specify a precise time limit for the storage of personal data, but leaves it to the controller to determine the appropriate retention period, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also allows for the further storage of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards. Therefore, the processor must follow the instructions of the controller regarding the storage duration of the personal data, and delete or return the personal data to the controller after the end of the provision of services relating to the processing, unless required to store the personal data by Union or Member State law.
References:
GDPR, Articles 3, 4, 28, 29, 32, 51, 55, 56, 57, 58, 60, 61, 62, 63, 64, 65, 66, 67, and 68.
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23,
24, 25, 26, 27, and 28.
Cloud Computing and GDPR: what you need to know | Combell, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.
GDPR Processor Obligations - Taylor Wessing, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

NEW QUESTION # 168
You are the new Data Protection Officer for your company and have to determine whether the company has implemented appropriate technical and organizational measures as required by Article 32 of the GDPR.
Which of the following would be the most important to consider when trying to determine this?

• A. How security measures might evolve in the future
• B. Which security measures are endorsed by a majority of experts.
• C. Which kinds of security measures your company has employed in the past
• D. How the public perceives what constitutes adequate security measures

Answer: D

NEW QUESTION # 169
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

• A. The EU Cybersecurity Directive
• B. The ePrivacy Directive
• C. The E-Commerce Directive
• D. The Data Retention Directive

Answer: B

Explanation:
The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. Reference:
Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script
EU Cookie Law - Data Protection and Cookies - Cookiebot
ePrivacy Directive - Regulations - Learn how CookiePro Helps

NEW QUESTION # 170
Read the following steps:
* Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
* Monitor and analyze the apps and devices for compliance
* Manage application life cycles
* Monitor data sharing
An organization should perform these steps to do which of the following?

• A. Maintain a secure Bring Your Own Device (BYOD) program.
• B. Ensure cloud vendors are complying with internal data use policies.
• C. Pursue a GDPR-compliant Privacy by Design process.
• D. Institute a GDPR-compliant employee monitoring process.

Answer: A

NEW QUESTION # 171
What are the obligations of a processor that engages a sub-processor?

• A. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
• B. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
• C. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
• D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Answer: A

Explanation:
Reference https://inplp.com/latest-news/article/gdpr-rights-and-obligations-of-sub-processors/

NEW QUESTION # 172
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

• A. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
• B. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
• C. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
• D. Submit a draft decision to other supervisory authorities for their opinion.

Answer: C

NEW QUESTION # 173
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
Why is this company obligated to comply with the GDPR?

• A. The company has offices in the EU.
• B. The company's data center is located in a country outside the EU.
• C. The company's products are marketed directly to EU customers.
• D. The company employs staff in the EU.

Answer: C

NEW QUESTION # 174
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs' handling of customer personal data?

• A. The data is sensitive.
• B. The data is being used for a new purpose.
• C. The data is being processed via a new means.
• D. The data is uncategorized.

Answer: B

Explanation:
According to the GDPR, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes1. This means that data controllers must inform data subjects about the purposes of data processing and obtain their consent or rely on another lawful basis for processing. Data controllers must also respect the principle of data minimisation, which means that they should only collect and process personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed2.
In the scenario, Brady transfers his customers' personal data to Hermes Designs, a third-party contractor, for the purpose of providing web page design services. However, Hermes Designs uses the data for a new purpose, which is creating sample customized banner advertisements and conducting direct marketing to the customers. This new purpose is not compatible with the original purpose for which the data was collected and transferred, and it is not likely that the customers have consented to it or that there is another lawful basis for it. Moreover, Hermes Designs may be processing more personal data than what is necessary for the original purpose, such as the customers' business plans and preferences. Therefore, Brady should be concerned with Hermes Designs' handling of customer personal data, as it may violate the GDPR and expose him to legal risks and reputational damages.
Reference:
1: Art. 5(1)(b) GDPR Principles relating to processing of personal data
2: Art. 5(1) GDPR Principles relating to processing of personal data

NEW QUESTION # 175
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?

• A. AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.
• B. The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.
• C. It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.
• D. The data storage period has to be revised, and a data processing agreement w*h AWS must be signed

Answer: D

Explanation:
According to the GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed1. Therefore, the data storage period of the backup system must be aligned with this principle and reviewed regularly. Moreover, the GDPR requires that when a controller (the company) uses a processor (AWS) to process personal data on its behalf, it must ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subjects2. This is usually done by signing a data processing agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3. AWS offers a GDPR-compliant Data Processing Addendum (DPA) that is incorporated into the AWS Service Terms and applies automatically to all customers who require it to comply with the GDPR4. Reference:
Free CIPP/E Study Guide, page 24, section 4.2.1
Free CIPP/E Study Guide, page 25, section 4.3
GDPR, Article 28
GDPR - Amazon Web Services (AWS), section "GDPR resources"

NEW QUESTION # 176
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

• A. A company wants to use location data to track delivery trucks in order to make the routes more efficient.
• B. A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
• C. A company wants to combine location data with other data in order to offer more personalized service for the customer.
• D. A company wants to use location data to infer information on a person's clothes purchasing habits.

Answer: B

Explanation:
According to Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is required when the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies. A DPIA is supposed to show the characteristics of the processing, the risks and the measures adopted to mitigate them. The GDPR also provides some examples of processing operations that require a DPIA, such as:
* a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal or significant effects on the data subject;
* processing on a large scale of special categories of data or data relating to criminal convictions and offences; or
* a systematic monitoring of a publicly accessible area on a large scale.
Among the answer choices, only option C falls under the first example, as it involves a systematic and extensive evaluation of personal aspects based on location data and data from third-party sources, which could be used for profiling and matching purposes. This could have significant effects on the data subjects' privacy, personal relationships and reputation. Therefore, a DPIA would be required for this processing operation.
Option A does not necessarily involve a systematic and extensive evaluation of personal aspects, nor does it produce legal or significant effects on the data subject. It could be considered a legitimate interest of the company to offer more personalized service, as long as it respects the principles of data minimization, purpose limitation and transparency.
Option B does not involve a decision based on the processing, nor does it produce legal or significant effects on the data subject. It could be considered a form of direct marketing, which is subject to specific rules under the GDPR and the ePrivacy Directive.
Option D does not involve personal data relating to natural persons, but rather to delivery trucks. Therefore, it does not pose a high risk to the rights and freedoms of natural persons.
References:
* GDPR Article 35
* Guidelines on DPIA
* Art. 35 GDPR - Data protection impact assessment - GDPR.eu

NEW QUESTION # 177

• A. Avoiding the use of another company's data to improve their own services.
• B. Vetting companies' measures with the appropriate supervisory authority.
• C. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
• D. Requesting advice and technical support from Company A's IT team.
• E. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
  Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
  Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company
• F. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
  Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
  The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

Answer: C,E

Explanation:
Explanation/Reference: https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/

NEW QUESTION # 178
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier's request, how may Javier proceed in order to seek compensation?

• A. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.
• B. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
• C. He will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.
• D. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.

Answer: C

NEW QUESTION # 179
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

• A. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
• B. Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.
• C. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.
• D. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.

Answer: D

Explanation:
The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons1. A personal data breach means a breach of security leading to the accidentalor unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage. Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33 (3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach1. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR.
Options B, C and D are incorrect, as they do not comply with the GDPR requirements. Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions3. Option C would misuse the "disproportionate effort" exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technicaland organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it4. Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority5. References: 1: Article 33(1) of the GDPR 2: Article 4 (12) of the GDPR 3: Article 83(4)(a) of the GDPR 4: Article 34(3)(a) of the GDPR 5: Article 34(1) and (2) of the GDPR

NEW QUESTION # 180
SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform.
The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared with the national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.
The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.
All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is required by the company. There is no data processing agreement between AWS and the company.
Should Jane modify the required GDPR rights waiver for non-European residents?

• A. Yes, this clause must be entirely removed as all customers,
  regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.
• B. No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.
• C. No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.
• D. Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.

Answer: A

Explanation:
The GDPR applies to the processing of personal data of data subjects who are in the EU, regardless of their nationality or residence. This means that non-EU residents who are physically located in the EU are protected by the GDPR, and EU residents who are outside the EU are not. However, this does not mean that non-EU residents who are outside the EU can be asked to waive their GDPR rights by a company that is subject to the GDPR. The GDPR does not allow such waivers, as they would undermine the essence of the fundamental rights and freedoms of data subjects. The GDPR also requires that data subjects are provided with clear and transparent information about the processing of their personal data, and that they give their consent freely, specifically, informedly and unambiguously. A blanket waiver of GDPR rights does not meet these criteria, and would therefore be invalid and unenforceable.
References:
*GDPR Article 3 - Territorial scope1
*GDPR Article 7 - Conditions for consent2
*GDPR Article 25 - Data protection by design and by default3
*GDPR Recital 171 - Relationship with previously concluded agreements4

NEW QUESTION # 181
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

• A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
• B. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
• C. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.
• D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

Answer: D

Explanation:
The GDPR applies to all personal data, regardless of whether it exists in physical form or not. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.
However, the GDPR also distinguishes between different types of processing activities and their legal bases.
Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities.
The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.
Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.
However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.
References:
Physical Data - GDPR Summary
What GDPR Means for Your Physical Records - Access
Personal Data - Data Protection Act 2018
Reference: https://www.zimmerslaw.com/english-1/data-protection/

NEW QUESTION # 182
What is the key difference between the European Council and the Council of the European Union?

• A. The Council of the European Union has a degree of legislative power.
• B. The Council of the European Union is helmed by a president.
• C. The European Council focuses primarily on issues involving human rights.
• D. The European Council is comprised of the heads of each EU member state.
  Section: (none)
  Explanation

Answer: D

NEW QUESTION # 183
......

Updated CIPP-E Certification Exam Sample Questions: https://troytec.itpassleader.com/IAPP/CIPP-E-dumps-pass-exam.html