
合格保証付きクイズ2025年最新の実際に出る検証済みのCIPP-E無料試験問題集
無料Certified Information Privacy Professional CIPP-E究極な学習ガイド(更新されたのは298問があります)
質問 # 16
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?
- A. Information about how the measures are in the best interests of the company.
- B. Information about who employees should contact with any queries.
- C. Information about what is specified in the employment contract.
- D. Information about how providing consent could affect them as employees.
正解:C
質問 # 17
Which mechanism, introduced by the GDPR as a means of ensuring both compliance and transparency, allows for the possibility of personal data transfers to third countries under Article 42?
- A. Standard contractual clauses.
- B. Approved certifications.
- C. Law enforcement requests.
- D. Binding corporate rules.
正解:B
解説:
The General Data Protection Regulation (GDPR) introduces a mechanism for personal data transfers to third countries or international organisations that do not ensure an adequate level of data protection, based on approved certifications. According to Article 42 of the GDPR, the European Commission, the European Data Protection Board (EDPB) and the national data protection authorities (DPAs) shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors.
The specific needs of micro, small and medium-sized enterprises shall be taken into account.
The GDPR also provides that the certification mechanisms shall be voluntary and available via a transparent process. The certification shall be issued by the competent supervisory authority or by the certification bodies accredited by the supervisory authority or by the national accreditation body. The certification shall be valid for a maximum period of three years and may be renewed, under the same conditions, if the relevant requirements continue to be met. The certification shall be withdrawn, as the case may be, by the competent supervisory authority or by the certification bodies, where the requirements for the certification are not or are no longer met.
The GDPR further stipulates that the certification shall be issued to a controller or processor who has demonstrated, in accordance with the approved certification criteria, that the processing of personal data is in compliance with the GDPR. The certification shall specify the scope and purpose of the processing, the criteria applied and the duration of the validity of the certification. The certification shall not reduce the responsibility of the controller or the processor for compliance with the GDPR and shall not be interpreted as an endorsement of the quality or reliability of the products or services of the controller or the processor by the supervisory authority or the certification body.
The GDPR also states that the certification mechanisms shall contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the different risks for the rights and freedoms of data subjects. The certification mechanisms shall allow for the verification of compliance with the GDPR of processing operations by controllers and processors not established in the EU, regardless of the location of the processing. The certification mechanisms shall also provide for the possibility to demonstrate compliance with the GDPR for personal data transfers to third countries or international organisations under Article 46, which sets out the rules and requirements for the transfer of personal data to third countries or international organisations based on appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms.
References:
GDPR, Articles 42, 43, 44, 45, 46, 47, 48 and 49.
EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 and 15.
Free CIPP/E Study Guide, pages 9, 10, 11 and 12.
質問 # 18
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric dat a. Which of the following is NOT one of these exceptions?
- A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
- B. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
- C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
- D. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
正解:A
質問 # 19
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What must Zandelay provide to the supervisory authority during the prior consultation?
- A. An explanation of the purposes and means of the intended processing.
- B. Records showing that customers have explicitly consented to the intended profiling activities.
- C. An evaluation of the complexity of the intended processing.
- D. Certificates that prove Martin's professional qualities and expert knowledge of data protection law.
正解:A
解説:
According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:
the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings; the purposes and means of the intended processing; the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR; the contact details of the data protection officer, if any; the data protection impact assessment provided for in Article 35; and any other information requested by the supervisory authority.
Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing , or the designation of the data protection officer (D). Reference:
Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.
ICO guidance, which explains the process and requirements of the prior consultation.
EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.
質問 # 20
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?
- A. Personal data revealing ethnic origin.
- B. Personal data revealing genetic data.
- C. Personal data revealing trade union membership.
- D. Personal data revealing financial data.
正解:D
質問 # 21
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent.
All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?
- A. The European Data Protection Board.
- B. The Court of Justice of the European Union.
- C. The Data Protection Authority.
- D. The European Commission.
正解:C
質問 # 22
Which sentence BEST summarizes the concepts of "fairness," "lawfulness" and "transparency", as expressly required by Article 5 of the GDPR?
- A. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.
- B. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.
- C. Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.
- D. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.
正解:C
解説:
According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. Reference: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/
質問 # 23
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores.
Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
What presents the BIGGEST potential privacy issue with the company's practices?
- A. The information about the data processing involved has not been specified
- B. The NFC portal can read any data stored in the action figures
- C. The cloud service provider is in a country that has not been deemed adequate
- D. The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities
正解:A
解説:
While all of the options present potential privacy issues, the lack of transparency about data processing poses the biggest risk for several reasons:
* Uninformed Consent: Without clear information about data collection and usage, children and parents cannot make informed decisions about using the toys. This violates the principle of informed consent, which is a cornerstone of data protection laws.
* Hidden Features: The packaging and privacy policy do not disclose the hidden functionality of the toys, including the connection to the cloud and data processing in South Africa. This lack of transparency creates distrust and raises concerns about potential misuse of data.
* Unclear Data Flow: The explanation provided about the data flow is vague and incomplete. It is unclear what data is collected, how it is stored, for what purposes it is used, and who has access to it. This lack of clarity creates uncertainty and raises concerns about potential data breaches or leaks.
* Limited Control: Without detailed information about data practices, users have limited control over their information. They cannot opt out of data collection or request deletion of their data, further hindering their privacy rights.
質問 # 24
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?
- A. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
- B. Vetting companies' measures with the appropriate supervisory authority.
- C. Avoiding the use of another company's data to improve their own services.
- D. Requesting advice and technical support from Company A's IT team.
正解:A
解説:
Article 82 of the GDPR1234 regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR.
Paragraph 4 of Article 821234 states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage.
Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.
Reference:
1: Art. 82 GDPR - Right to compensation and liability - General Data Protection Regulation (GDPR)
2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu
3: GDPR Article 82: Right to compensation and liability - Advisera
4: Article 82 GDPR | Right to compensation and liability
質問 # 25
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?
- A. The European Data Protection Board.
- B. The local Data Protection Supervisory Authorities.
- C. The EU Commission.
- D. The Member States.
正解:D
質問 # 26
A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?
- A. The surveillance camera system can potentially capture biometric information of the homeowner's family, which would be considered a processing of special categories of personal data.
- B. The homeowner has not specified which security measures ore in place as part of the surveillance camera system
- C. The surveillance camera system can potentially film individuals who enter its filming perimeter
- D. The GDPR specifically excludes surveillance camera images from the household exemption
正解:C
質問 # 27
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
- A. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
- B. The Data Retention Directive's annulment makes such data retention now permissible.
- C. The ePrivacy Directive allows individual EU member states to engage in such data retention.
- D. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
正解:A
解説:
Reference https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/440retention-of-traffic-data- dumortier-goemans2f90.pdf (9)
質問 # 28
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''
- A. No, the assessors do not quality as data processors as they only have access to encrypted data.
- B. Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.
- C. Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.
- D. No. the assessors do not quality as data processors as they do not copy the data to their facilities.
正解:C
質問 # 29
When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?
- A. The nature, sensitivity and volume of personal data.
- B. The ease of identification of individuals.
- C. The special characteristics of the data controller.
- D. The size of any data processor involved.
正解:D
質問 # 30
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
What presents the BIGGEST potential privacy issue with the company's practices?
- A. The information about the data processing involved has not been specified
- B. The NFC portal can read any data stored in the action figures
- C. The cloud service provider is in a country that has not been deemed adequate
- D. The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities
正解:A
質問 # 31
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.
What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
- A. Protecting against legal liability from Ruth.
- B. Protecting the vital interest of Ruth.
- C. Performance of a contract with Ruth.
- D. Ruth's implied consent.
正解:B
解説:
According to the GDPR, one of the legal bases for transferring personal data to a third country or an international organization is when the transfer is necessary for the protection of the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent (Article 49(1)). This exception applies only in very limited and exceptional situations, such as life-threatening medical emergencies. In this scenario, ProStorage most likely relied on this legal basis to transfer Ruth's medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. Ruth was presumably unable to give her consent due to her health condition, and the transfer of her medical information was necessary to protect her vital interests, such as her life or health. Therefore, this transfer mechanism was more appropriate than the other options, which either require consent or are not relevant to the situation.
質問 # 32
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?
- A. The European Parliament
- B. The European Council
- C. The European Commission
- D. The Council of the European Union
正解:D
質問 # 33
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?
- A. The European Commission
- B. The European Parliament
- C. The European Council
- D. The Article 29 Working Party
正解:A
解説:
According to Article 45 of the GDPR, the European Commission has the power to determine, on the basis of an assessment, whether a non-EU country, a territory or a sector within that country, or an international organisation ensures an adequate level of data protection. This means that the data protection rules and standards in that country or organisation are equivalent to those in the EU. The effect of an adequacy decision is that personal data can flow freely from the EU to that country or organisation without any further safeguards or authorisations. The European Commission has adopted adequacy decisions for several countries and organisations, such as Japan, Canada, and the EU-US Data Privacy Framework. Reference: Data protection adequacy for non-EU countries, Adequate Level of Protection
質問 # 34
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?
- A. An efficient means of providing written consent in member states where they are required to do so.
- B. A privacy notice containing brief information whilst offering access to further detail.
- C. An explanation of the security measures used when personal data is transferred to a third party.
- D. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
正解:B
質問 # 35
The origin of privacy as a fundamental human right can be found in which document?
- A. Universal Declaration of Human Rights 1948.
- B. OECD Guidelines on the Protection of Privacy 1980.
- C. Charier of Fundamental Rights of the European Union 2000.
- D. European Convention of Human Rights 1953.
正解:A
解説:
The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). Reference:
IAPP CIPP/E Study Guide, page 7
[Universal Declaration of Human Rights]
[Article 12 of the UDHR]
質問 # 36
What is the most frequently used mechanism for legitimizing cross-border data transfer?
- A. Derogations.
- B. Standard Contractual Clauses.
- C. Approved Code of Conduct.
- D. Binding Corporate Rules.
正解:B
質問 # 37
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion- dollar candy company operating in every continent. All of the company's IT servers are located in Vermont.
This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone' s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?
- A. Analyze and evaluate the liability for customers in Ireland.
- B. Notify all of its customers that reside in the European Union.
- C. Analyze and evaluate all of its breach notification obligations.
- D. Notify its Data Protection Authority about the data breach.
正解:C
解説:
According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34 (1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).
Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.
References: GDPR, Articles 4(12), 33, 341; EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification2
質問 # 38
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?
- A. Lawfulness, fairness and transparency
- B. Integrity and confidentiality
- C. Storage Limitation
- D. Accuracy
正解:B
解説:
Reference https://www.icaew.com/technical/technology/data/data-protection/data-protection-articles/do-i- have-to-encrypt-personal-data-to-comply-with-dpa-2018
質問 # 39
Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?
- A. The payment card number of a Dutch citizen
- B. The U.S. social security number of an American citizen living in France
- C. The unlinked aggregated data used for statistical purposes by an Italian company
- D. The identification number of a German candidate for a professional examination in Germany
正解:C
質問 # 40
......
IAPP CIPP-E(Certified Information Privacy Professional / Europe)試験は、データプライバシー分野で働く専門家のために国際プライバシー専門家協会(IAPP)が提供する認定です。この試験は、欧州で働く個人を対象に設計されており、欧州連合の一般データ保護規則(GDPR)をカバーしています。CIPP-E認定は業界で高く評価され、欧州のプライバシー専門家の標準として認められています。
今すぐトップクラスを試そうCIPP-E練習試験問題:https://jp.fast2test.com/CIPP-E-premium-file.html
実際問題を使おうCIPP-E問題集無料サンプル問題と練習テストエンジン:https://drive.google.com/open?id=1U3Obd5VUB4as2bDwh6SS-dNTRjkF8WWR