IAPP CIPP-E Real Exam Questions
The questions for CIPP-E were last updated at Dec 19,2024.
- Exam Code: CIPP-E
- Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
- Certification Provider: IAPP
- Latest update: Dec 19,2024
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
- A . The requirements affected individuals without exception.
- B . The requirements were financially burdensome to EU businesses.
- C . The requirements specified that data must be held within the EU.
- D . The requirements had limitations on how national authorities could use data.
A
Explanation:
In 2014, the European Court of Justice (ECJ) declared the Data Retention Directive (2006/24/EC) invalid. The Directive required communication service providers to retain certain categories of data (related to electronic communications) for a period of between 6 months and 2 years, so as to ensure that the data would be available for the purpose of the investigation, detection, and prosecution of serious crime.
The ECJ found the directive to be invalid because it constituted a serious interference with fundamental rights to respect for private life and to the protection of personal data. The Directive affected all individuals without any exception, lacked clear criteria, and did not provide sufficient safeguards against the risk of abuse and unlawful access. It did not require any relationship between the data whose retention was provided for and a threat to public security, which meant even individuals not suspected of any wrongdoing had their data retained.
Option B is incorrect because the decision was not primarily based on financial burdens to businesses.
Option C is incorrect as the decision did not relate to data localization or where data must be held.
Option D is incorrect because the Directive’s problem was that it lacked sufficient limitations and safeguards rather than having them.
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?
- A . The ability to enact new laws by executive order.
- B . The right to access data for investigative purposes.
- C . The discretion to carry out goals of elected officials within the member state.
- D . The authority to select penalties when a controller is found guilty in a court of law.
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first levelreview, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?
- A . New corporate governance and code of conduct.
- B . A data protection impact assessment.
- C . A comprehensive data inventory.
- D . Hiring a data protection officer.
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
- A . Name and contact details of each controller on behalf of which the processor is acting.
- B . Categories of processing carried out on behalf of each controller for which the processor is acting.
- C . Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
- D . Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
D
Explanation:
While processors are required to maintain records of their processing activities, details of any data protection impact assessment (DPIA) are the responsibility of the controller, not the processor. The GDPR does not mandate that processors include details of DPIAs in their records of processing activities.
The Planet 49 CJEU Judgement applies to?
- A . Cookies used only by third parties.
- B . Cookies that are deemed technically necessary.
- C . Cookies regardless of whether the data accessed is personal or not.
- D . Cookies where the data accessed is considered as personal data only.
C
Explanation:
Reference: https://www.twobirds.com/en/news/articles/2019/global/planet49-cjeu-rules-on-cookie-consent
WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently.
Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?
- A . A postal notification
- B . A direct electronic message
- C . A notice on a corporate blog
- D . A prominent advertisement in print media
C
Explanation:
Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwih19CSx9LqAhVQe8AKHe-VDQEQFjAAegQIAhAB&url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm% 3Fdoc_id%3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (21)
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?
- A . If the cookies do not track personal data, then pre-checked boxes are acceptable.
- B . If the ePrivacy Directive requires consent for cookies, then the GDPR’s consent requirements apply.
- C . If a website’s cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
- D . If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?
- A . Notify its Data Protection Authority about the data breach.
- B . Analyze and evaluate the liability for customers in Ireland.
- C . Analyze and evaluate all of its breach notification obligations.
- D . Notify all of its customers that reside in the European Union.
Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which occurs when companies do what?
- A . Choose the data protection officer that is most sympathetic to their business concerns.
- B . Designate their main establishment in member state with the most flexible practices.
- C . File appeals of infringement judgments with more than one EU institution simultaneously.
- D . Select third-party processors on the basis of cost rather than quality of privacy protection.
B
Explanation:
Reference: https://gdprinformer.com/gdpr-articles/forum-shopping-illegal-gdpr
How does the GDPR now define “processing”?
- A . Any act involving the collecting and recording of personal data.
- B . Any operation or set of operations performed on personal data or on sets of personal data.
- C . Any use or disclosure of personal data compatible with the purpose for which the data was collected.
- D . Any operation or set of operations performed by automated means on personal data or on sets of personal data.
B
Explanation:
Reference: https://gdpr-info.eu/issues/processing/