
最新の[2024年12月03日]CIPP-E試験問題集で有効で更新された問題集
無料お試しまもなく終了!100%有効なCIPP-E試験問題集には270問があります
IAPP CIPP-E試験は、欧州のデータプライバシーで働く専門家にとって重要な認定試験です。これは、候補者のGDPRやその他のデータ保護法、プライバシー原則、データ漏えいに関する知識と理解をテストします。適切な準備をすれば、候補者は試験に合格し、データプライバシー分野の専門知識を証明する高く評価される認定資格を取得することができます。
IAPP CIPP-E認定は、情報プライバシーの分野で働くことに興味がある人や、この分野での知識と専門知識を実証したい人にとって貴重な資格です。試験に合格することにより、候補者は、個人データを保護し、GDPRに定められているプライバシーとデータ保護の原則を支持するというコミットメントを実証できます。
質問 # 107
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?
- A. Not more than thirty days after submission of Mike's request.
- B. Not more than one month of receipt of Mike's request.
- C. Not more than two months after verifying Mike's identity.
- D. When all the information about Mike has been collected.
正解:A
質問 # 108
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Which of the following is T-Craze's lead supervisory authority?
- A. Spain, because that is T-Craze's primary market based on its marketing campaigns.
- B. T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.
- C. Germany, because that is where T-Craze is headquartered.
- D. France, because that is where T-Craze conducts processing of personal information.
正解:C
解説:
According to the GDPR, the lead supervisory authority is the supervisory authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority is determined according to the location of the main establishment or the single establishment of the controller or processor in the EU. The main establishment is the place where the decisions about the purposes and means of the processing are taken, or where the controller has its central administration in the EU. The single establishment is the only place where the controller or processor is established in the EU. Therefore, in this scenario, T-Craze's lead supervisory authority is Germany, because that is where T-Craze is headquartered and where it has its main product-design office, which implies that the decisions about the processing of personal data are taken there. The other options are not correct, because the location of the processing, the market or the affiliates are not relevant for determining the lead supervisory authority. Reference: Free CIPP/E Study Guide, page 39; CIPP/E Certification, page 19; GDPR, Article 4(16), Article 4(22), Article 56, Recital 36.
質問 # 109
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asi a. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
What presents the BIGGEST potential privacy issue with the company's practices?
- A. The information about the data processing involved has not been specified
- B. The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities
- C. The NFC portal can read any data stored in the action figures
- D. The cloud service provider is in a country that has not been deemed adequate
正解:A
解説:
While all of the options present potential privacy issues, the lack of transparency about data processing poses the biggest risk for several reasons:
Uninformed Consent: Without clear information about data collection and usage, children and parents cannot make informed decisions about using the toys. This violates the principle of informed consent, which is a cornerstone of data protection laws.
Hidden Features: The packaging and privacy policy do not disclose the hidden functionality of the toys, including the connection to the cloud and data processing in South Africa. This lack of transparency creates distrust and raises concerns about potential misuse of data.
Unclear Data Flow: The explanation provided about the data flow is vague and incomplete. It is unclear what data is collected, how it is stored, for what purposes it is used, and who has access to it. This lack of clarity creates uncertainty and raises concerns about potential data breaches or leaks.
Limited Control: Without detailed information about data practices, users have limited control over their information. They cannot opt out of data collection or request deletion of their data, further hindering their privacy rights.
質問 # 110
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
- A. To monitor compliance with other local or European data protection provisions.
- B. To create procedures for notification of personal data breaches to competent supervisory authorities.
- C. To create and maintain records of processing activities.
- D. To conduct Privacy Impact Assessments on behalf of the controller or processor.
正解:D
解説:
According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. Reference:
Article 35 of the GDPR
European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO Roles and Responsibilities of a Data Protection Officer
質問 # 111
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?
- A. Categories of recipients to whom the personal data have been disclosed.
- B. Retention periods for erasure and deletion of categories of personal data.
- C. Data inventory or data mapping exercises that have been conducted.
- D. Incidents of personal data breaches, whether disclosed or not.
正解:D
解説:
Article 30 of the GDPR requires controllers and processors to maintain records of their processing activities, which include information such as the purposes of the processing, the categories of personal data, the recipients of the data, the retention periods, and the security measures12. However, Article 30 does not require controllers to keep records of incidents of personal data breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34, which require controllers to notify the supervisory authority and the data subjects of any personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons34. Reference: 1: Article 30 of the GDPR 2: What do we need to document under Article 30 of the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR Section: (none) Explanation
質問 # 112
How does the GDPR now define "processing"?
- A. Any act involving the collecting and recording of personal data.
- B. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
- C. Any operation or set of operations performed on personal data or on sets of personal data.
- D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.
正解:A
解説:
Explanation/Reference: https://gdpr-info.eu/issues/processing/
質問 # 113
Which sentence BEST summarizes the concepts of "fairness," "lawfulness" and "transparency", as expressly required by Article 5 of the GDPR?
- A. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.
- B. Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.
- C. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.
- D. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.
正解:B
解説:
According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. Reference: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/
質問 # 114
A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?
- A. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
- B. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
- C. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.
- D. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.
正解:A
質問 # 115
A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?
- A. Restrict camera placement to building entrances only.
- B. Retain captured footage for no more than 30 days.
- C. Seek informed consent from company employees.
- D. Have cameras recording during work hours only.
正解:A
解説:
According to Article 5 of the GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')1. The company's decision to install cameras in the entrance of the building, hallways and offices may violate this principle, as it may expose the personal data of the employees and visitors to unnecessary risks, such as hacking, misuse or disclosure. Moreover, the company must also comply with the other principles of data processing, such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation1. The company must have a legitimate and specific purpose for installing the cameras, and must inform the data subjects about the processing of their personal data. The company must also ensure that the cameras collect only the minimum amount of data necessary for the purpose, and that the data are accurate and kept for no longer than necessary. The company must also respect the rights and freedoms of the data subjects, and provide them with the means to exercise their rights, such as the right to access, rectify, erase, restrict, object or port2.
The most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR is to restrict the camera placement to building entrances only. This would limit the scope and impact of the data processing, and reduce the risks to the personal data of the employees and visitors. The company would still need to inform the data subjects about the processing, and ensure that the footage is securely stored and transferred, especially if it is monitored by the home office in the United States, which is a third country that may not offer adequate protection for personal data3. The company would also need to consider the possibility of obtaining the consent of the data subjects, or relying on another legal basis for the processing, such as the legitimate interests of the company or the performance of a contract4. Reference:
Article 5 of the GDPR
[Article 12-23 of the GDPR]
[Article 44-50 of the GDPR]
[Article 6 of the GDPR]
質問 # 116
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization.
The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?
- A. Information about who employees should contact with any queries.
- B. Information about what is specified in the employment contract.
- C. Information about how the measures are in the best interests of the company.
- D. Information about how providing consent could affect them as employees.
正解:B
質問 # 117
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
To ensure GDPR compliance, what should be the company's position on the issue of consent?
- A. Consent for data collection is implied through the parent's purchase of the action figure for the child.
- B. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.
- C. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
- D. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.
正解:D
解説:
According to Article 8 of the GDPR, where the processing of personal data is based on consent and the offer of an information society service (ISS) is directly made to a child, the processing is lawful only if the child is at least 16 years old, or if the consent is given or authorised by the holder of parental responsibility over the child. The GDPR allows EU member states to lower the age threshold to a minimum of 13 years. The data controller must make reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility, taking into account available technology. An ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Examples of ISS include online marketplaces, social media platforms, and online games.
In this scenario, the company is offering an ISS to children, as the connected toys can talk and interact with children via the internet. The company is also processing personal data of the children, such as their voice, questions, preferences, and location. Therefore, the company must obtain parental consent for the use of the action figures before any data can be collected, unless the child is above the age threshold set by the relevant EU member state. The company must also inform the parents and the children about the nature and purpose of the data processing, the data transfers to South Africa, and the rights of the data subjects. The company must also ensure that the data processing is fair, lawful, transparent, and in accordance with the data protection principles and the children's best interests.
The other options are incorrect because:
A) The child cannot provide consent himself, regardless of the purpose of the data processing, unless he is above the age threshold set by the relevant EU member state. The GDPR does not make any distinction between data processing for marketing or non-marketing purposes when it comes to children's consent.
B) The company does not need to obtain written authorization from the supervisory authority to process children's data, as long as it complies with the GDPR requirements and obtains parental consent. The supervisory authority is the independent public authority responsible for monitoring the application of the GDPR in each EU member state, and it can intervene only in cases of non-compliance or complaints.
C) Consent for data collection cannot be implied through the parent's purchase of the action figure for the child. The GDPR requires that consent must be freely given, specific, informed, and unambiguous, and that it must be expressed by a clear affirmative action. The purchase of a product does not meet these criteria, and it does not indicate the parent's agreement to the data processing. Moreover, the packaging of the toy does not provide sufficient information about the data processing, nor does it mention that an internet connection is required.
質問 # 118
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.
How should the company respond to Jack's request to be forgotten?
- A. The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.
- B. The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.
- C. The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.
- D. The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.
正解:A
質問 # 119
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?
- A. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.
- B. Identify other controllers who are processing the same information and inform them of the delisting request.
- C. Notify the newspaper that its article it is delisting the article.
- D. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.
正解:C
解説:
According to the European Data Protection Law & Practice textbook, page 326, "the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful." However, the CJEU also stated that "the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine's results following a search made on the basis of the data subject's name." Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject's right to be forgotten. Reference:
European Data Protection Law & Practice, page 326
CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez, paragraphs 88 and 93
質問 # 120
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University's records does Anna NOT have to include in her record of processing activities?
- A. Student records
- B. Staff and alumni records
- C. Frank's performance database
- D. Department for Education records
正解:B
質問 # 121
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?
- A. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
- B. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
- C. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
- D. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
正解:D
質問 # 122
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
- A. A mandatory notification for personal data breaches applicable to electronic communication providers.
- B. A voluntary notification for personal data breaches applicable to all data controllers.
- C. A voluntary notification for personal data breaches applicable to electronic communication providers.
- D. A mandatory notification for personal data breaches applicable to all data controllers.
正解:A
解説:
Reference https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32009L0136
質問 # 123
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike's data access request?
- A. The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.
- B. The request is to obtain access and information about the purpose of processing his personal data.
- C. The request is to obtain access and correct inaccurate personal data in his profile.
- D. The request is to obtain access and erasure of his personal data while keeping his rewards membership.
正解:D
質問 # 124
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?
- A. Approved certifications.
- B. Binding corporate rules.
- C. Law enforcement requests.
- D. Standard contractual clauses.
正解:A
質問 # 125
A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?
- A. Other data held by Internet Service Providers (ISPs).
- B. Other data held by the controller
- C. Other data held by the processor.
- D. Other data held by recipients of the data.
正解:A
質問 # 126
Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection laws throughout the European Union?
- A. That it takes the form of a Regulation as opposed to a Directive
- B. That it makes appointment of a data protection officer mandatory
- C. That it essentially functions as a one-stop shop mechanism
- D. That it makes notification of large-scale data breaches mandatory
正解:B
解説:
Reference https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
質問 # 127
......
CIPP-E試験問題集で100%高得点させるCIPP-E試験解答がこちら:https://jp.fast2test.com/CIPP-E-premium-file.html
検証済みのCIPP-E試験問題成功確定させます:https://drive.google.com/open?id=1O1zRi1fggBTUPs8X9Nb_AQ-yk-gBS0qq