IAPP CIPP-E Real Exam Questions
The questions for CIPP-E were last updated at Dec 19,2024.
- Exam Code: CIPP-E
- Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
- Certification Provider: IAPP
- Latest update: Dec 19,2024
Read the following steps:
✑ Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
✑ Monitor and analyze the apps and devices for compliance
✑ Manage application life cycles
✑ Monitor data sharing
An organization should perform these steps to do which of the following?
- A . Pursue a GDPR-compliant Privacy by Design process.
- B . Institute a GDPR-compliant employee monitoring process.
- C . Maintain a secure Bring Your Own Device (BYOD) program.
- D . Ensure cloud vendors are complying with internal data use policies.
C
Explanation:
Reference: https://www.itproportal.com/features/heading-off-the-spectre-of-gdpr-compliance-with-secure-byod/
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?
- A . Protection of the interests of the data subjects.
- B . Performance of a contact
- C . Legitimate interest
- D . Consent
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
- A . The ePrivacy Directive allows individual EU member states to engage in such data retention.
- B . The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.
- C . The Data Retention Directive’s annulment makes such data retention now permissible.
- D . The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
A
Explanation:
The ePrivacy Directive (2002/58/EC), often referred to as the Cookie Directive, focuses on the confidentiality of communications and the protection of personal data in the electronic communications sector. Article 15(1) of the ePrivacy Directive allows EU member states to adopt legislative measures to restrict the scope of certain rights and obligations when necessary to safeguard, among other things, national security, defense, and public security, and for the prevention, investigation, detection, and prosecution of criminal offenses. This means that individual EU member states can engage in data retention for law enforcement purposes, but any such retention must respect the fundamental principles of necessity and proportionality.
To provide further clarity:
B. The ePrivacy Directive does not harmonize EU member states’ rules concerning data retention; rather, it provides a framework within which member states can legislate.
C. The Data Retention Directive (2006/24/EC) was introduced to harmonize member states’ approaches to data retention for law enforcement purposes. However, in 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid because it disproportionately infringed upon fundamental rights. Its annulment doesn’t make data retention permissible per se; rather, the legal landscape went back to relying on the provisions of the ePrivacy Directive and national legislation.
D. The GDPR primarily addresses the protection of personal data and its processing. While it does mention processing for law enforcement purposes, the directive specifically governing data processing for law enforcement is the Directive (EU) 2016/680 (often referred to as the Law Enforcement Directive). The GDPR itself does not set out provisions specifically for the retention of communications traffic data for law enforcement.
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?
- A . To encourage the consistency of local data processing activity.
- B . To give corporations a choice about who their supervisory authority will be.
- C . To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
- D . To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.
A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.
Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?
- A . Payments cannot be made in a European Union currency.
- B . The controller does not have an establishment in the European Union.
- C . The website is not available in several official languages of European Un on Member States
- D . The website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.
What is true if an employee makes an access request to his employer for any personal data held about him?
- A . The employer can automatically decline the request if it contains personal data about a third person.
- B . The employer can decline the request if the information is only held electronically.
- C . The employer must supply all the information held about the employee.
- D . The employer must supply any information held about an employee unless an exemption applies.
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
- A . The data subject already has information regarding how his data will be used
- B . The provision of such information to the data subject would be too problematic
- C . Third-party data would be disclosed by providing such information to the data subject
- D . The processing of the data subject’s data is protected by appropriate technical measures
A
Explanation:
Reference: https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide-information-to-the-individual-data-subject/
According to the GDPR, how is pseudonymous personal data defined?
- A . Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
- B . Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
- C . Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
- D . Data that has been encrypted or is subject to other technical safeguards.
A
Explanation:
Reference: https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/
A U.S. company’s website sells widgets.
Which of the following factors would NOT in itself subject the company to the GDPR?
- A . The widgets are offered in EU and priced in euro.
- B . The website is in English and French, and is accessible in France.
- C . An affiliate office is located in France but the processing is in the U.S.
- D . The website places cookies to monitor the EU website user behavior.
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?
- A . The obligation of companies to declare data breaches.
- B . The requirement to demonstrate compliance to a supervisory authority.
- C . The necessity of the bulk collection of personal data by the government.
C
Explanation:
Convention 108+ (the modernized version of Convention 108) is the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Both Convention 108+ and the GDPR aim to enhance personal data protection, but they might not mirror each other in all provisions.