ベストな準備プランCIPP-E試験2024年最新のCertified Information Privacy Professional無制限270問題 [Q30-Q46]

Share

ベストな準備プランCIPP-E試験2024年最新のCertified Information Privacy Professional無制限270問題

注目すべき時短になるCIPP-Eオールインワン試験ガイド


IAPPのCIPP-E認定試験は、ヨーロッパのプライバシー法に興味を持つ専門家にとって、優れた機会です。この認定プログラムは、複雑なヨーロッパのプライバシーの景観を航行するために必要なスキルと知識を専門家に提供し、世界的にプライバシー専門家の主要な認定プログラムとして認められています。経験豊富な専門家であろうと、新しい分野であろうと、CIPP-E認定試験は、キャリアを進め、プライバシー分野での専門知識を証明する優れた方法です。

 

質問 # 30
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
The Customer for Life plan may conflict with which GDPR provision?

  • A. Article 16, which provides data subjects with a rights to rectification.
  • B. Article 6, which requires processing to be lawful.
  • C. Article 7, which requires consent to be as easy to withdraw as it is to give.
  • D. Article 20, which gives data subjects a right to data portability.

正解:C


質問 # 31
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

  • A. Ensure that local laws do not impede the company from meeting its contractual obligations.
  • B. Submit the contract to its own government authority.
  • C. Ensure that notice is given to and consent is obtained from data subjects.
  • D. Supply any information requested by a data protection authority (DPA) within 30 days.

正解:A

解説:
The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7. Reference: 1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR


質問 # 32
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?

  • A. Cross-border processing
  • B. Special categories of data
  • C. Data access disputes
  • D. Data subject rights

正解:A


質問 # 33
In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?

  • A. A data controller who plans to use a new technology product that has already undergone a DPIA by the product's provider.
  • B. A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
  • C. A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.
  • D. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.

正解:C

解説:
According to the WP29 guidance on DPIA1, conducting a single DPIA to address multiple processing operations is allowed when the following conditions are met:
The processing operations present similar high risks, which would result in very similar mitigating measures; The DPIA is reviewed and updated regularly to take into account any changes or new risks; The DPIA is complemented by ad hoc assessments where necessary to address more specific issues.
The WP29 guidance cites the example of a railway operator who plans to evaluate the same video surveillance in all the train stations of his company as a case where a single DPIA would be sufficient, provided that the above conditions are met2. The other options do not meet these conditions, as they involve different types of processing operations, different purposes, different data subjects, or different technologies. Reference:
WP29 guidance on DPIA
WP29 guidance on DPIA, page 16


質問 # 34
Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing dat a. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.
Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

  • A. It collects data from subjects and uses it for automated processing.
  • B. It monitors the behavior of data subjects in the European Union.
  • C. It collects data from European Union websites, which constitutes an establishment in the European Union.
  • D. It offers services in the European Union by identifying data subjects in the European Union.

正解:B

解説:
According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Bioface is not established in the Union, but it is collecting photographs of data subjects in the Union and using a facial recognition algorithm to identify them. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Bioface does not have any establishment in the Union, as it only collects data from web-based services, which does not imply the existence of stable arrangements in the Union2; (B) Bioface is not offering services in the Union, as it only targets government agencies and companies in the US and Canada, and does not intend to provide its service to data subjects in the Union3; Bioface collects data from subjects and uses it for automated processing, but this is not a sufficient criterion to determine the territorial scope of the GDPR, as it does not relate to the offering of goods or services or the monitoring of behavior in the Union4. Reference: 1: Article 3(2) of the GDPR; 2: EDPB Guidelines, paragraph 20; 3: EDPB Guidelines, paragraph 38; 4: EDPB Guidelines, paragraph 50.


質問 # 35
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

  • A. If the cookies do not track personal data, then pre-checked boxes are acceptable.
  • B. If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
  • C. If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.
  • D. If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

正解:C

解説:
According to the CJEU, the ePrivacy Directive does not define the concept of consent, but refers to the GDPR for its interpretation1. Therefore, the GDPR standard of consent applies to the use of cookies and similar technologies that require consent under the ePrivacy Directive. The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. The CJEU also clarified that the consent requirements apply regardless of whether the cookies constitute personal data or not, as the ePrivacy Directive covers any information stored or accessed on the user's device1. The other options are incorrect, as the CJEU ruled that pre-checked boxes, implicit consent by scrolling, and insufficient information on the cookies do not meet the GDPR standard of consent1. Reference:
Free CIPP/E Study Guide, page 14, section 2.3
GDPR, Article 4 (11)
ePrivacy Directive, Article 5 (3)
Planet49: CJEU Rules on Cookie Consent
CURIA - List of results


質問 # 36
SCENARIO
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

  • A. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
  • B. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.
  • C. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.
  • D. Louis does not have the right to object to the use of his data because he previously consented to it.

正解:A

解説:
Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
The GDPR states that "where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing" and that "where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."3 This right applies regardless of whether the data subject has previously consented to the use of his or her data, or whether the data are required for a legal claim or a legitimate interest. The data subject must be informed of this right clearly and separately from any other information at the time of the first communication with him or her, and must be provided with an easy way to exercise it.2 Therefore, Louis can object to the use of his data by Bedrock and Accidentable for direct marketing purposes, and they must stop processing his data for such purposes as soon as they receive his objection. Louis can also withdraw his consent for any other processing of his data that he has previously agreed to, such as sharing his data with Bedrock's affiliates.4


質問 # 37
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

  • A. Personal data of EU residents being processed by a non-EU business that targets EU customers.
  • B. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
  • C. Personal data of EU citizens being processed by a controller or processor based outside the EU.
  • D. The behavior of suspected terrorists being monitored by EU law enforcement bodies.

正解:C

解説:
According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis of a decision taken at a Union level that is binding for that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state.
Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state.
Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.
Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state.
Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.


質問 # 38
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft's use of pseudonymization is NOT in compliance with the CDPR because?

  • A. JaphSoft was in possession of information that could be used to identify data subjects.
  • B. JaphSoft failed to keep personally identifiable information in a separate database.
  • C. JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
  • D. JaphSoft failed to first anonymize the personal data.

正解:C


質問 # 39
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
What would be the most appropriate response to Jacks data subject access request?

  • A. The company should not provide any information, as the company is headquartered outside of the EU.
  • B. The company should decline to provide any information, as the amount of information requested is too excessive to provide in one month.
  • C. The company should cite the need for an extension, and agree to provide the information requested in Jack's original DSAR within a period of 3 months.
  • D. The company should provide all requested information except for the emails, as they are excluded from data access request requirements under the GDPR.

正解:B

解説:
According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions. One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1. In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1. The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.
In this scenario, Jack's DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.
Option A is incorrect because the company's headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.
Option C is incorrect because the company cannot agree to provide the information requested in Jack's original DSAR within a period of 3 months, as this would violate the data subject's right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.
Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject's right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Reference:
Right of access
Territorial scope


質問 # 40
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

  • A. Approved data controllers.
  • B. The Council of the European Union.
  • C. National data protection authorities.
  • D. The European Data Protection Supervisor.

正解:A

解説:
Explanation/Reference: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/ standard-contractual-clauses-scc_en


質問 # 41
According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?

  • A. The shop operator should provide full notice of the intended video surveillance outside the shop, for example with a sign or a stand-up display.
  • B. The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects every time they enter the shop.
  • C. The shop operator should provide the most important information on a clearly readable warning sign to data subjects before they enter the monitored area, and additional mandatory details by other means.
  • D. The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.

正解:A


質問 # 42
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

  • A. To conduct Privacy Impact Assessments on behalf of the controller or processor.
  • B. To create procedures for notification of personal data breaches to competent supervisory authorities.
  • C. To create and maintain records of processing activities.
  • D. To monitor compliance with other local or European data protection provisions.

正解:A

解説:
According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. Reference:
Article 35 of the GDPR
European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO Roles and Responsibilities of a Data Protection Officer


質問 # 43
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  • A. Requesting advice and technical support from Company A's IT team.
  • B. Vetting companies' measures with the appropriate supervisory authority.
  • C. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • D. Avoiding the use of another company's data to improve their own services.

正解:C


質問 # 44
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

  • A. HRYourWay is not located in a third country.
  • B. ProStorage can rely on its Binding Corporate Rules
  • C. HRYourWay was ultimately not selected
  • D. ProStorage will obtain consent for all transfers.

正解:D


質問 # 45
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

  • A. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
  • B. Failure to provide the means for a data subject to rectify inaccuracies in personal data.
  • C. Failure to process personal information in a manner compatible with its original purpose.
  • D. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.

正解:A


質問 # 46
......


CIPP/E認定試験は、世界最大のプライバシー専門家協会である国際プライバシー専門家協会(IAPP)によって提供されています。 IAPPは、教育、ネットワーキングの機会、認定プログラムを提供することにより、プライバシーの専門職を推進することに取り組んでいます。 CIPP/E認定は、IAPPが提供する4つの認定の1つであり、他の認定はCIPP/US、CIPM、CIPTです。

 

合格保証付きCIPP-E問題集:https://jp.fast2test.com/CIPP-E-premium-file.html

あなたを合格さすIAPP CIPP-E試験専門はここにある:https://drive.google.com/open?id=1U3Obd5VUB4as2bDwh6SS-dNTRjkF8WWR


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어